diff options
author | Henrique Nakashima <hnakashima@chromium.org> | 2018-06-26 17:17:19 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-06-26 17:17:19 +0000 |
commit | e529390fd5b521e4c223343a4b367b0ced357ed5 (patch) | |
tree | 66a3807ac0f5af866515e6aa580ef642624e0c87 /xfa/fgas/layout/cfx_rtfbreak.cpp | |
parent | 0145b89ac060870dd70f3d2f41f318a68721a086 (diff) | |
download | pdfium-e529390fd5b521e4c223343a4b367b0ced357ed5.tar.xz |
Fix Integer-overflow in CFX_RTFBreak::AppendChar_Tab
Bug: chromium:844367
Change-Id: Id8185ea0219c03b4f8683362a3c2a45d481a5cfb
Reviewed-on: https://pdfium-review.googlesource.com/36170
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Diffstat (limited to 'xfa/fgas/layout/cfx_rtfbreak.cpp')
-rw-r--r-- | xfa/fgas/layout/cfx_rtfbreak.cpp | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/xfa/fgas/layout/cfx_rtfbreak.cpp b/xfa/fgas/layout/cfx_rtfbreak.cpp index 700139160a..c478d98c72 100644 --- a/xfa/fgas/layout/cfx_rtfbreak.cpp +++ b/xfa/fgas/layout/cfx_rtfbreak.cpp @@ -153,10 +153,17 @@ void CFX_RTFBreak::AppendChar_Tab(CFX_Char* pCurChar) { int32_t& iLineWidth = m_pCurLine->m_iWidth; int32_t iCharWidth = iLineWidth; - if (GetPositionedTab(&iCharWidth)) - iCharWidth -= iLineWidth; - else - iCharWidth = m_iTabWidth * (iLineWidth / m_iTabWidth + 1) - iLineWidth; + FX_SAFE_INT32 iSafeCharWidth; + if (GetPositionedTab(&iCharWidth)) { + iSafeCharWidth = iCharWidth; + } else { + // Tab width is >= 160000, so this part does not need to be checked. + iSafeCharWidth = iLineWidth / m_iTabWidth + 1; + iSafeCharWidth *= m_iTabWidth; + } + iSafeCharWidth -= iLineWidth; + + iCharWidth = iSafeCharWidth.ValueOrDefault(0); pCurChar->m_iCharWidth = iCharWidth; iLineWidth += iCharWidth; |