summaryrefslogtreecommitdiff
path: root/xfa/fgas/layout/cfx_rtfbreak.cpp
diff options
context:
space:
mode:
authorHenrique Nakashima <hnakashima@chromium.org>2018-06-26 17:17:19 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-06-26 17:17:19 +0000
commite529390fd5b521e4c223343a4b367b0ced357ed5 (patch)
tree66a3807ac0f5af866515e6aa580ef642624e0c87 /xfa/fgas/layout/cfx_rtfbreak.cpp
parent0145b89ac060870dd70f3d2f41f318a68721a086 (diff)
downloadpdfium-e529390fd5b521e4c223343a4b367b0ced357ed5.tar.xz
Fix Integer-overflow in CFX_RTFBreak::AppendChar_Tab
Bug: chromium:844367 Change-Id: Id8185ea0219c03b4f8683362a3c2a45d481a5cfb Reviewed-on: https://pdfium-review.googlesource.com/36170 Reviewed-by: Ryan Harrison <rharrison@chromium.org> Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Diffstat (limited to 'xfa/fgas/layout/cfx_rtfbreak.cpp')
-rw-r--r--xfa/fgas/layout/cfx_rtfbreak.cpp15
1 files changed, 11 insertions, 4 deletions
diff --git a/xfa/fgas/layout/cfx_rtfbreak.cpp b/xfa/fgas/layout/cfx_rtfbreak.cpp
index 700139160a..c478d98c72 100644
--- a/xfa/fgas/layout/cfx_rtfbreak.cpp
+++ b/xfa/fgas/layout/cfx_rtfbreak.cpp
@@ -153,10 +153,17 @@ void CFX_RTFBreak::AppendChar_Tab(CFX_Char* pCurChar) {
int32_t& iLineWidth = m_pCurLine->m_iWidth;
int32_t iCharWidth = iLineWidth;
- if (GetPositionedTab(&iCharWidth))
- iCharWidth -= iLineWidth;
- else
- iCharWidth = m_iTabWidth * (iLineWidth / m_iTabWidth + 1) - iLineWidth;
+ FX_SAFE_INT32 iSafeCharWidth;
+ if (GetPositionedTab(&iCharWidth)) {
+ iSafeCharWidth = iCharWidth;
+ } else {
+ // Tab width is >= 160000, so this part does not need to be checked.
+ iSafeCharWidth = iLineWidth / m_iTabWidth + 1;
+ iSafeCharWidth *= m_iTabWidth;
+ }
+ iSafeCharWidth -= iLineWidth;
+
+ iCharWidth = iSafeCharWidth.ValueOrDefault(0);
pCurChar->m_iCharWidth = iCharWidth;
iLineWidth += iCharWidth;