From c524fc91aa42a8e34b4daf9a67fa283e25f48560 Mon Sep 17 00:00:00 2001
From: Dan Sinclair <dsinclair@chromium.org>
Date: Thu, 17 May 2018 19:19:03 +0000
Subject: More overflow checks in bidi code

There are several more places where the width is added to a characters
valid width in the bidi code. This CL changes all occurances to used a
check numeric.

Bug: chromium:844046
Change-Id: Idd8be3a4a576af626b5afa6f7cd04cc160b929d5
Reviewed-on: https://pdfium-review.googlesource.com/32714
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
---
 xfa/fgas/layout/cfx_rtfbreak.cpp | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/xfa/fgas/layout/cfx_rtfbreak.cpp b/xfa/fgas/layout/cfx_rtfbreak.cpp
index f7369bd11a..11a5c56828 100644
--- a/xfa/fgas/layout/cfx_rtfbreak.cpp
+++ b/xfa/fgas/layout/cfx_rtfbreak.cpp
@@ -137,8 +137,14 @@ void CFX_RTFBreak::AppendChar_Combination(CFX_Char* pCurChar) {
 
   int32_t iCharWidthValid = iCharWidth.ValueOrDefault(0);
   pCurChar->m_iCharWidth = iCharWidthValid;
-  if (iCharWidthValid > 0)
-    m_pCurLine->m_iWidth += iCharWidthValid;
+  if (iCharWidthValid > 0) {
+    pdfium::base::CheckedNumeric<int32_t> checked_width = m_pCurLine->m_iWidth;
+    checked_width += iCharWidthValid;
+    if (!checked_width.IsValid())
+      return;
+
+    m_pCurLine->m_iWidth = checked_width.ValueOrDie();
+  }
 }
 
 void CFX_RTFBreak::AppendChar_Tab(CFX_Char* pCurChar) {
@@ -208,7 +214,14 @@ CFX_BreakType CFX_RTFBreak::AppendChar_Arabic(CFX_Char* pCurChar) {
 
       int iCharWidthValid = iCharWidth.ValueOrDefault(0);
       pLastChar->m_iCharWidth = iCharWidthValid;
-      m_pCurLine->m_iWidth += iCharWidthValid;
+
+      pdfium::base::CheckedNumeric<int32_t> checked_width =
+          m_pCurLine->m_iWidth;
+      checked_width += iCharWidthValid;
+      if (!checked_width.IsValid())
+        return CFX_BreakType::None;
+
+      m_pCurLine->m_iWidth = checked_width.ValueOrDie();
       iCharWidth = 0;
     }
   }
@@ -230,7 +243,13 @@ CFX_BreakType CFX_RTFBreak::AppendChar_Arabic(CFX_Char* pCurChar) {
 
   int iCharWidthValid = iCharWidth.ValueOrDefault(0);
   pCurChar->m_iCharWidth = iCharWidthValid;
-  m_pCurLine->m_iWidth += iCharWidthValid;
+
+  pdfium::base::CheckedNumeric<int32_t> checked_width = m_pCurLine->m_iWidth;
+  checked_width += iCharWidthValid;
+  if (!checked_width.IsValid())
+    return CFX_BreakType::None;
+
+  m_pCurLine->m_iWidth = checked_width.ValueOrDie();
   m_pCurLine->m_iArabicChars++;
 
   if (m_pCurLine->GetLineEnd() > m_iLineWidth + m_iTolerance)
-- 
cgit v1.2.3