From e529390fd5b521e4c223343a4b367b0ced357ed5 Mon Sep 17 00:00:00 2001
From: Henrique Nakashima <hnakashima@chromium.org>
Date: Tue, 26 Jun 2018 17:17:19 +0000
Subject: Fix Integer-overflow in CFX_RTFBreak::AppendChar_Tab

Bug: chromium:844367
Change-Id: Id8185ea0219c03b4f8683362a3c2a45d481a5cfb
Reviewed-on: https://pdfium-review.googlesource.com/36170
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
---
 xfa/fgas/layout/cfx_rtfbreak.cpp | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/xfa/fgas/layout/cfx_rtfbreak.cpp b/xfa/fgas/layout/cfx_rtfbreak.cpp
index 700139160a..c478d98c72 100644
--- a/xfa/fgas/layout/cfx_rtfbreak.cpp
+++ b/xfa/fgas/layout/cfx_rtfbreak.cpp
@@ -153,10 +153,17 @@ void CFX_RTFBreak::AppendChar_Tab(CFX_Char* pCurChar) {
 
   int32_t& iLineWidth = m_pCurLine->m_iWidth;
   int32_t iCharWidth = iLineWidth;
-  if (GetPositionedTab(&iCharWidth))
-    iCharWidth -= iLineWidth;
-  else
-    iCharWidth = m_iTabWidth * (iLineWidth / m_iTabWidth + 1) - iLineWidth;
+  FX_SAFE_INT32 iSafeCharWidth;
+  if (GetPositionedTab(&iCharWidth)) {
+    iSafeCharWidth = iCharWidth;
+  } else {
+    // Tab width is >= 160000, so this part does not need to be checked.
+    iSafeCharWidth = iLineWidth / m_iTabWidth + 1;
+    iSafeCharWidth *= m_iTabWidth;
+  }
+  iSafeCharWidth -= iLineWidth;
+
+  iCharWidth = iSafeCharWidth.ValueOrDefault(0);
 
   pCurChar->m_iCharWidth = iCharWidth;
   iLineWidth += iCharWidth;
-- 
cgit v1.2.3