From b83d870b007f25b18e6b7a4ce2a417420d4dcb89 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Fri, 9 Jun 2017 17:55:51 -0400
Subject: Fix types for FT_ULong chars in fpdfedittext
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

FXFT_Get_First(Next)_Char can return large unsigned values. This CL avoids
integer overflow and adds some missing checks regarding the ranges of the
values returned by those methods.

Bug: chromium:727086
Change-Id: Ice7bbb3759e384b7174680a82a2a9380c3611382
Reviewed-on: https://pdfium-review.googlesource.com/6436
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
---
 fpdfsdk/fpdfedittext.cpp | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/fpdfsdk/fpdfedittext.cpp b/fpdfsdk/fpdfedittext.cpp
index 3deae7ea20..1c3b22d7f3 100644
--- a/fpdfsdk/fpdfedittext.cpp
+++ b/fpdfsdk/fpdfedittext.cpp
@@ -231,6 +231,8 @@ CPDF_Stream* LoadUnicode(CPDF_Document* pDoc,
                                         std::move(pDict));
 }
 
+const uint32_t kMaxSimpleFontChar = 0xFF;
+
 void* LoadSimpleFont(CPDF_Document* pDoc,
                      std::unique_ptr<CFX_Font> pFont,
                      const uint8_t* data,
@@ -246,21 +248,23 @@ void* LoadSimpleFont(CPDF_Document* pDoc,
   fontDict->SetNewFor<CPDF_Name>("BaseFont", name);
 
   uint32_t glyphIndex;
-  int currentChar = FXFT_Get_First_Char(pFont->GetFace(), &glyphIndex);
-  fontDict->SetNewFor<CPDF_Number>("FirstChar", currentChar);
+  uint32_t currentChar = FXFT_Get_First_Char(pFont->GetFace(), &glyphIndex);
+  if (currentChar > kMaxSimpleFontChar || glyphIndex == 0)
+    return nullptr;
+  fontDict->SetNewFor<CPDF_Number>("FirstChar", static_cast<int>(currentChar));
   CPDF_Array* widthsArray = pDoc->NewIndirect<CPDF_Array>();
   while (true) {
     widthsArray->AddNew<CPDF_Number>(pFont->GetGlyphWidth(glyphIndex));
-    int nextChar =
+    uint32_t nextChar =
         FXFT_Get_Next_Char(pFont->GetFace(), currentChar, &glyphIndex);
     // Simple fonts have 1-byte charcodes only.
-    if (nextChar > 0xff || glyphIndex == 0)
+    if (nextChar > kMaxSimpleFontChar || glyphIndex == 0)
       break;
-    for (int i = currentChar + 1; i < nextChar; i++)
+    for (uint32_t i = currentChar + 1; i < nextChar; i++)
       widthsArray->AddNew<CPDF_Number>(0);
     currentChar = nextChar;
   }
-  fontDict->SetNewFor<CPDF_Number>("LastChar", currentChar);
+  fontDict->SetNewFor<CPDF_Number>("LastChar", static_cast<int>(currentChar));
   fontDict->SetNewFor<CPDF_Reference>("Widths", pDoc, widthsArray->GetObjNum());
   CPDF_Dictionary* fontDesc =
       LoadFontDesc(pDoc, name, pFont.get(), data, size, font_type);
@@ -270,6 +274,8 @@ void* LoadSimpleFont(CPDF_Document* pDoc,
   return pDoc->LoadFont(fontDict);
 }
 
+const uint32_t kMaxUnicode = 0x10FFFF;
+
 void* LoadCompositeFont(CPDF_Document* pDoc,
                         std::unique_ptr<CFX_Font> pFont,
                         const uint8_t* data,
@@ -309,15 +315,15 @@ void* LoadCompositeFont(CPDF_Document* pDoc,
                                       fontDesc->GetObjNum());
 
   uint32_t glyphIndex;
-  int currentChar = FXFT_Get_First_Char(pFont->GetFace(), &glyphIndex);
+  uint32_t currentChar = FXFT_Get_First_Char(pFont->GetFace(), &glyphIndex);
   // If it doesn't have a single char, just fail
-  if (glyphIndex == 0)
+  if (glyphIndex == 0 || currentChar > kMaxUnicode)
     return nullptr;
 
   std::map<uint32_t, uint32_t> to_unicode;
   std::map<uint32_t, uint32_t> widths;
   while (true) {
-    if (currentChar > 0x10FFFF)
+    if (currentChar > kMaxUnicode)
       break;
 
     widths[glyphIndex] = pFont->GetGlyphWidth(glyphIndex);
-- 
cgit v1.2.3