summaryrefslogtreecommitdiff
path: root/xfa/fxfa
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2018-08-20 17:51:49 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-08-20 17:51:49 +0000
commit79d8cfb7848c05bc34c2c0a10276c9919a9b4e96 (patch)
tree7ac28bf9807ed9a338e48f91186aa6b5bc177512 /xfa/fxfa
parentf01e4a5ec03c6b232d41dc878a3640924150f2a7 (diff)
downloadpdfium-79d8cfb7848c05bc34c2c0a10276c9919a9b4e96.tar.xz
Avoid an integer overflow in CFX_RTFBreak.
The root cause is an extremely large reserve count. Limit it to the size of the widget. BUG=chromium:875282 Change-Id: Ia3bbb07503ce349adc2662731d22317bda7df4ef Reviewed-on: https://pdfium-review.googlesource.com/40652 Reviewed-by: Ryan Harrison <rharrison@chromium.org> Reviewed-by: Henrique Nakashima <hnakashima@chromium.org> Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org>
Diffstat (limited to 'xfa/fxfa')
-rw-r--r--xfa/fxfa/cxfa_fffield.cpp8
1 files changed, 8 insertions, 0 deletions
diff --git a/xfa/fxfa/cxfa_fffield.cpp b/xfa/fxfa/cxfa_fffield.cpp
index 7fba69973c..ff28e574e8 100644
--- a/xfa/fxfa/cxfa_fffield.cpp
+++ b/xfa/fxfa/cxfa_fffield.cpp
@@ -6,6 +6,8 @@
#include "xfa/fxfa/cxfa_fffield.h"
+#include <algorithm>
+
#include "xfa/fwl/cfwl_edit.h"
#include "xfa/fwl/cfwl_eventmouse.h"
#include "xfa/fwl/cfwl_messagekey.h"
@@ -195,6 +197,12 @@ void CXFA_FFField::CapPlacement() {
m_rtCaption.Reset();
} else {
fCapReserve = caption->GetReserve();
+ if (iCapPlacement == XFA_AttributeEnum::Top ||
+ iCapPlacement == XFA_AttributeEnum::Bottom) {
+ fCapReserve = std::min(fCapReserve, rtWidget.height);
+ } else {
+ fCapReserve = std::min(fCapReserve, rtWidget.width);
+ }
CXFA_ContentLayoutItem* pItem = this;
if (!pItem->GetPrev() && !pItem->GetNext()) {
m_rtCaption = rtWidget;