From c83c28092f67f352cbd690138151b253dfdf547b Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Tue, 14 Mar 2017 15:35:35 -0400 Subject: Prevent integer overflow in CPDF_CIDFONT::LoadMetricsArray MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The CIDs are unsigned integers. Avoid overflow since they are given as input from the PDF file. BUG=chromium:700787 Change-Id: Icdc3efbbd0f4f2ad8d5b4f4f52926e20f7e06391 Reviewed-on: https://pdfium-review.googlesource.com/3052 Reviewed-by: Tom Sepez Commit-Queue: Nicolás Peña --- core/fpdfapi/font/cpdf_cidfont.cpp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/core/fpdfapi/font/cpdf_cidfont.cpp b/core/fpdfapi/font/cpdf_cidfont.cpp index 7d14a9ea0a..4c378f7598 100644 --- a/core/fpdfapi/font/cpdf_cidfont.cpp +++ b/core/fpdfapi/font/cpdf_cidfont.cpp @@ -7,6 +7,7 @@ #include "core/fpdfapi/font/cpdf_cidfont.h" #include +#include #include #include "core/fpdfapi/cmaps/cmap_int.h" @@ -781,8 +782,8 @@ void CPDF_CIDFont::LoadMetricsArray(CPDF_Array* pArray, int nElements) { int width_status = 0; int iCurElement = 0; - int first_code = 0; - int last_code = 0; + uint32_t first_code = 0; + uint32_t last_code = 0; for (size_t i = 0; i < pArray->GetCount(); i++) { CPDF_Object* pObj = pArray->GetDirectObjectAt(i); if (!pObj) @@ -791,6 +792,11 @@ void CPDF_CIDFont::LoadMetricsArray(CPDF_Array* pArray, if (CPDF_Array* pObjArray = pObj->AsArray()) { if (width_status != 1) return; + if (first_code > + std::numeric_limits::max() - pObjArray->GetCount()) { + width_status = 0; + continue; + } for (size_t j = 0; j < pObjArray->GetCount(); j += nElements) { result->push_back(first_code); -- cgit v1.2.3