From 79d8cfb7848c05bc34c2c0a10276c9919a9b4e96 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Mon, 20 Aug 2018 17:51:49 +0000
Subject: Avoid an integer overflow in CFX_RTFBreak.

The root cause is an extremely large reserve count. Limit it to the size
of the widget.

BUG=chromium:875282

Change-Id: Ia3bbb07503ce349adc2662731d22317bda7df4ef
Reviewed-on: https://pdfium-review.googlesource.com/40652
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
---
 xfa/fxfa/cxfa_fffield.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/xfa/fxfa/cxfa_fffield.cpp b/xfa/fxfa/cxfa_fffield.cpp
index 7fba69973c..ff28e574e8 100644
--- a/xfa/fxfa/cxfa_fffield.cpp
+++ b/xfa/fxfa/cxfa_fffield.cpp
@@ -6,6 +6,8 @@
 
 #include "xfa/fxfa/cxfa_fffield.h"
 
+#include <algorithm>
+
 #include "xfa/fwl/cfwl_edit.h"
 #include "xfa/fwl/cfwl_eventmouse.h"
 #include "xfa/fwl/cfwl_messagekey.h"
@@ -195,6 +197,12 @@ void CXFA_FFField::CapPlacement() {
       m_rtCaption.Reset();
     } else {
       fCapReserve = caption->GetReserve();
+      if (iCapPlacement == XFA_AttributeEnum::Top ||
+          iCapPlacement == XFA_AttributeEnum::Bottom) {
+        fCapReserve = std::min(fCapReserve, rtWidget.height);
+      } else {
+        fCapReserve = std::min(fCapReserve, rtWidget.width);
+      }
       CXFA_ContentLayoutItem* pItem = this;
       if (!pItem->GetPrev() && !pItem->GetNext()) {
         m_rtCaption = rtWidget;
-- 
cgit v1.2.3