From c524fc91aa42a8e34b4daf9a67fa283e25f48560 Mon Sep 17 00:00:00 2001 From: Dan Sinclair Date: Thu, 17 May 2018 19:19:03 +0000 Subject: More overflow checks in bidi code There are several more places where the width is added to a characters valid width in the bidi code. This CL changes all occurances to used a check numeric. Bug: chromium:844046 Change-Id: Idd8be3a4a576af626b5afa6f7cd04cc160b929d5 Reviewed-on: https://pdfium-review.googlesource.com/32714 Reviewed-by: Henrique Nakashima Commit-Queue: dsinclair --- xfa/fgas/layout/cfx_rtfbreak.cpp | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/xfa/fgas/layout/cfx_rtfbreak.cpp b/xfa/fgas/layout/cfx_rtfbreak.cpp index f7369bd11a..11a5c56828 100644 --- a/xfa/fgas/layout/cfx_rtfbreak.cpp +++ b/xfa/fgas/layout/cfx_rtfbreak.cpp @@ -137,8 +137,14 @@ void CFX_RTFBreak::AppendChar_Combination(CFX_Char* pCurChar) { int32_t iCharWidthValid = iCharWidth.ValueOrDefault(0); pCurChar->m_iCharWidth = iCharWidthValid; - if (iCharWidthValid > 0) - m_pCurLine->m_iWidth += iCharWidthValid; + if (iCharWidthValid > 0) { + pdfium::base::CheckedNumeric checked_width = m_pCurLine->m_iWidth; + checked_width += iCharWidthValid; + if (!checked_width.IsValid()) + return; + + m_pCurLine->m_iWidth = checked_width.ValueOrDie(); + } } void CFX_RTFBreak::AppendChar_Tab(CFX_Char* pCurChar) { @@ -208,7 +214,14 @@ CFX_BreakType CFX_RTFBreak::AppendChar_Arabic(CFX_Char* pCurChar) { int iCharWidthValid = iCharWidth.ValueOrDefault(0); pLastChar->m_iCharWidth = iCharWidthValid; - m_pCurLine->m_iWidth += iCharWidthValid; + + pdfium::base::CheckedNumeric checked_width = + m_pCurLine->m_iWidth; + checked_width += iCharWidthValid; + if (!checked_width.IsValid()) + return CFX_BreakType::None; + + m_pCurLine->m_iWidth = checked_width.ValueOrDie(); iCharWidth = 0; } } @@ -230,7 +243,13 @@ CFX_BreakType CFX_RTFBreak::AppendChar_Arabic(CFX_Char* pCurChar) { int iCharWidthValid = iCharWidth.ValueOrDefault(0); pCurChar->m_iCharWidth = iCharWidthValid; - m_pCurLine->m_iWidth += iCharWidthValid; + + pdfium::base::CheckedNumeric checked_width = m_pCurLine->m_iWidth; + checked_width += iCharWidthValid; + if (!checked_width.IsValid()) + return CFX_BreakType::None; + + m_pCurLine->m_iWidth = checked_width.ValueOrDie(); m_pCurLine->m_iArabicChars++; if (m_pCurLine->GetLineEnd() > m_iLineWidth + m_iTolerance) -- cgit v1.2.3