From 1c4b767e822a7537f2c6c19b42dddce840e033ee Mon Sep 17 00:00:00 2001
From: npm <npm@chromium.org>
Date: Tue, 4 Oct 2016 13:00:37 -0700
Subject: Avoid crashing on CPDF_ToUnicodeMap::Load by using ValueOrDefault()

- Added private method to avoid duplicated code.
- If the unicode calculation overflows, 0 is used instead of crashing.

Review-Url: https://codereview.chromium.org/2392103002
---
 core/fpdfapi/font/font_int.h    |  2 ++
 core/fpdfapi/font/fpdf_font.cpp | 21 +++++++++------------
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/core/fpdfapi/font/font_int.h b/core/fpdfapi/font/font_int.h
index 10c2dcada4..02131eb67c 100644
--- a/core/fpdfapi/font/font_int.h
+++ b/core/fpdfapi/font/font_int.h
@@ -196,6 +196,8 @@ class CPDF_ToUnicodeMap {
   static uint32_t StringToCode(const CFX_ByteStringC& str);
   static CFX_WideString StringToWideString(const CFX_ByteStringC& str);
 
+  uint32_t GetUnicode();
+
   std::map<uint32_t, uint32_t> m_Map;
   CPDF_CID2UnicodeMap* m_pBaseMap;
   CFX_WideTextBuf m_MultiCharBuf;
diff --git a/core/fpdfapi/font/fpdf_font.cpp b/core/fpdfapi/font/fpdf_font.cpp
index 1273ff5f6d..056204ad7e 100644
--- a/core/fpdfapi/font/fpdf_font.cpp
+++ b/core/fpdfapi/font/fpdf_font.cpp
@@ -199,6 +199,12 @@ CPDF_ToUnicodeMap::CPDF_ToUnicodeMap() : m_pBaseMap(nullptr) {}
 
 CPDF_ToUnicodeMap::~CPDF_ToUnicodeMap() {}
 
+uint32_t CPDF_ToUnicodeMap::GetUnicode() {
+  FX_SAFE_UINT32 uni = m_MultiCharBuf.GetLength();
+  uni = uni * 0x10000 + 0xffff;
+  return uni.ValueOrDefault(0);
+}
+
 void CPDF_ToUnicodeMap::Load(CPDF_Stream* pStream) {
   CIDSet cid_set = CIDSET_UNKNOWN;
   CPDF_StreamAcc stream;
@@ -225,10 +231,7 @@ void CPDF_ToUnicodeMap::Load(CPDF_Stream* pStream) {
         if (len == 1) {
           m_Map[srccode] = destcode.GetAt(0);
         } else {
-          FX_SAFE_UINT32 uni = m_MultiCharBuf.GetLength();
-          uni *= 0x10000;
-          uni += 0xffff;
-          m_Map[srccode] = uni.ValueOrDie();
+          m_Map[srccode] = GetUnicode();
           m_MultiCharBuf.AppendChar(destcode.GetLength());
           m_MultiCharBuf << destcode;
         }
@@ -259,10 +262,7 @@ void CPDF_ToUnicodeMap::Load(CPDF_Stream* pStream) {
             if (len == 1) {
               m_Map[code] = destcode.GetAt(0);
             } else {
-              FX_SAFE_UINT32 uni = m_MultiCharBuf.GetLength();
-              uni *= 0x10000;
-              uni += 0xffff;
-              m_Map[code] = uni.ValueOrDie();
+              m_Map[code] = GetUnicode();
               m_MultiCharBuf.AppendChar(destcode.GetLength());
               m_MultiCharBuf << destcode;
             }
@@ -285,10 +285,7 @@ void CPDF_ToUnicodeMap::Load(CPDF_Stream* pStream) {
               } else {
                 retcode = StringDataAdd(destcode);
               }
-              FX_SAFE_UINT32 uni = m_MultiCharBuf.GetLength();
-              uni *= 0x10000;
-              uni += 0xffff;
-              m_Map[code] = uni.ValueOrDie();
+              m_Map[code] = GetUnicode();
               m_MultiCharBuf.AppendChar(retcode.GetLength());
               m_MultiCharBuf << retcode;
               destcode = retcode;
-- 
cgit v1.2.3