From a112f85f6c11b171286ec54fca5e0dcf18f9be63 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Wed, 11 Oct 2017 14:54:11 -0400
Subject: Add more checks to fseeks in CFX_FolderFontInfo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: chromium:770890
Change-Id: Iee532d76aabc0763a835c203344455ba07c6e82c
Reviewed-on: https://pdfium-review.googlesource.com/15930
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
---
 core/fxge/cfx_folderfontinfo.cpp | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/core/fxge/cfx_folderfontinfo.cpp b/core/fxge/cfx_folderfontinfo.cpp
index 1ee9ea729a..6b564f80c6 100644
--- a/core/fxge/cfx_folderfontinfo.cpp
+++ b/core/fxge/cfx_folderfontinfo.cpp
@@ -54,13 +54,17 @@ ByteString FPDF_ReadStringFromFile(FILE* pFile, uint32_t size) {
 ByteString FPDF_LoadTableFromTT(FILE* pFile,
                                 const uint8_t* pTables,
                                 uint32_t nTables,
-                                uint32_t tag) {
+                                uint32_t tag,
+                                uint32_t fileSize) {
   for (uint32_t i = 0; i < nTables; i++) {
     const uint8_t* p = pTables + i * 16;
     if (GET_TT_LONG(p) == tag) {
       uint32_t offset = GET_TT_LONG(p + 8);
       uint32_t size = GET_TT_LONG(p + 12);
-      fseek(pFile, offset, SEEK_SET);
+      if (offset > std::numeric_limits<uint32_t>::max() - size ||
+          offset + size > fileSize || fseek(pFile, offset, SEEK_SET) < 0) {
+        return ByteString();
+      }
       return FPDF_ReadStringFromFile(pFile, size);
     }
   }
@@ -199,9 +203,8 @@ void CFX_FolderFontInfo::ReportFace(const ByteString& path,
                                     FILE* pFile,
                                     uint32_t filesize,
                                     uint32_t offset) {
-  fseek(pFile, offset, SEEK_SET);
   char buffer[16];
-  if (!fread(buffer, 12, 1, pFile))
+  if (fseek(pFile, offset, SEEK_SET) < 0 || !fread(buffer, 12, 1, pFile))
     return;
 
   uint32_t nTables = GET_TT_SHORT(buffer + 4);
@@ -209,8 +212,8 @@ void CFX_FolderFontInfo::ReportFace(const ByteString& path,
   if (tables.IsEmpty())
     return;
 
-  ByteString names =
-      FPDF_LoadTableFromTT(pFile, tables.raw_str(), nTables, 0x6e616d65);
+  ByteString names = FPDF_LoadTableFromTT(pFile, tables.raw_str(), nTables,
+                                          0x6e616d65, filesize);
   if (names.IsEmpty())
     return;
 
@@ -227,8 +230,8 @@ void CFX_FolderFontInfo::ReportFace(const ByteString& path,
 
   auto pInfo = pdfium::MakeUnique<FontFaceInfo>(path, facename, tables, offset,
                                                 filesize);
-  ByteString os2 =
-      FPDF_LoadTableFromTT(pFile, tables.raw_str(), nTables, 0x4f532f32);
+  ByteString os2 = FPDF_LoadTableFromTT(pFile, tables.raw_str(), nTables,
+                                        0x4f532f32, filesize);
   if (os2.GetLength() >= 86) {
     const uint8_t* p = os2.raw_str() + 78;
     uint32_t codepages = GET_TT_LONG(p);
-- 
cgit v1.2.3