From a68ee04cfdeb39637a06764dcb924ac806dfdf95 Mon Sep 17 00:00:00 2001
From: Dan Sinclair <dsinclair@chromium.org>
Date: Wed, 16 May 2018 13:30:15 +0000
Subject: Verify bidi pos is within range before accessing

This CL verifies that the provided BidiPos is within the acceptable size
for the vector before accessing.

Bug: chromium:843100
Change-Id: I2955a3ca628b19ee51dd4233726b859729c125af
Reviewed-on: https://pdfium-review.googlesource.com/32593
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
---
 core/fxcrt/cfx_char.h  | 6 +++---
 core/fxcrt/fx_bidi.cpp | 6 +++++-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/core/fxcrt/cfx_char.h b/core/fxcrt/cfx_char.h
index fb625ee038..268aa99c39 100644
--- a/core/fxcrt/cfx_char.h
+++ b/core/fxcrt/cfx_char.h
@@ -35,9 +35,9 @@ class CFX_Char {
   uint32_t m_dwCharStyles;
   int32_t m_iCharWidth;
   int16_t m_iBidiClass;
-  int16_t m_iBidiLevel;
-  int16_t m_iBidiPos;
-  int16_t m_iBidiOrder;
+  uint16_t m_iBidiLevel;
+  uint16_t m_iBidiPos;
+  uint16_t m_iBidiOrder;
   int32_t m_iFontSize;
   uint32_t m_dwIdentity;
   RetainPtr<Retainable> m_pUserData;
diff --git a/core/fxcrt/fx_bidi.cpp b/core/fxcrt/fx_bidi.cpp
index 7261d80af3..669fc5bd88 100644
--- a/core/fxcrt/fx_bidi.cpp
+++ b/core/fxcrt/fx_bidi.cpp
@@ -531,8 +531,12 @@ class CFX_BidiLine {
   }
 
   void Position(std::vector<CFX_Char>* chars, size_t iCount) {
-    for (size_t i = 0; i < iCount; ++i)
+    for (size_t i = 0; i < iCount; ++i) {
+      if ((*chars)[i].m_iBidiPos > iCount)
+        continue;
+
       (*chars)[(*chars)[i].m_iBidiPos].m_iBidiOrder = i;
+    }
   }
 };
 
-- 
cgit v1.2.3