diff options
author | Henrique Nakashima <hnakashima@chromium.org> | 2018-04-30 20:01:33 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-04-30 20:01:33 +0000 |
commit | f213df4a87ede709db1f311bbad3c68fbccf159c (patch) | |
tree | a884f86c120d2778645d4a56ff70b96b8ef821eb /xfa/fgas | |
parent | 94161d59fd3c815e404fb3f027becf056516a5da (diff) | |
download | pdfium-f213df4a87ede709db1f311bbad3c68fbccf159c.tar.xz |
Fix Integer-overflow in CFX_TxtBreak::AppendChar_Others
Bug: chromium:838095
Change-Id: I6fbb67ad763800eb45fb3c84f909f74e238748e0
Reviewed-on: https://pdfium-review.googlesource.com/31750
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'xfa/fgas')
-rw-r--r-- | xfa/fgas/layout/cfx_txtbreak.cpp | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/xfa/fgas/layout/cfx_txtbreak.cpp b/xfa/fgas/layout/cfx_txtbreak.cpp index 3a2929d226..9859bc3b3e 100644 --- a/xfa/fgas/layout/cfx_txtbreak.cpp +++ b/xfa/fgas/layout/cfx_txtbreak.cpp @@ -175,7 +175,7 @@ CFX_BreakType CFX_TxtBreak::AppendChar_Arabic(CFX_Char* pCurChar) { CFX_BreakType CFX_TxtBreak::AppendChar_Others(CFX_Char* pCurChar) { FX_CHARTYPE chartype = pCurChar->GetCharType(); int32_t& iLineWidth = m_pCurLine->m_iWidth; - int32_t iCharWidth = 0; + FX_SAFE_INT32 iCharWidth = 0; m_eCharType = chartype; wchar_t wch = pCurChar->char_code(); wchar_t wForm = wch; @@ -183,16 +183,24 @@ CFX_BreakType CFX_TxtBreak::AppendChar_Others(CFX_Char* pCurChar) { if (m_bCombText) { iCharWidth = m_iCombWidth; } else { - if (!m_pFont->GetCharWidth(wForm, iCharWidth)) + int32_t iCharWidthOut; + if (m_pFont->GetCharWidth(wForm, iCharWidthOut)) + iCharWidth = iCharWidthOut; + else iCharWidth = m_iDefChar; iCharWidth *= m_iFontSize; - iCharWidth = iCharWidth * m_iHorizontalScale / 100; + iCharWidth *= m_iHorizontalScale; + iCharWidth /= 100; } iCharWidth += m_iCharSpace; - pCurChar->m_iCharWidth = iCharWidth; - iLineWidth += iCharWidth; + if (!iCharWidth.IsValid()) + return CFX_BreakType::None; + + int32_t iCharWidthValid = iCharWidth.ValueOrDie(); + pCurChar->m_iCharWidth = iCharWidthValid; + iLineWidth += iCharWidthValid; if (!m_bSingleLine && chartype != FX_CHARTYPE_Space && iLineWidth > m_iLineWidth + m_iTolerance) { return EndBreak(CFX_BreakType::Line); |