From e472622d33bdca2316a22ff5ff8d77ac975c2eb2 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Fri, 10 Mar 2017 15:46:49 -0500
Subject: Bound cbox from tricky faces
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The cbox values are long. We should make sure they are not too big before
putting them into FX_RECT, which holds integers. The bound is chosen to also
avoid overflow when multiplying by 1000.

BUG=chromium:699961

Change-Id: Ie4443848e0319348110f7215bd1c909ef19dad9f
Reviewed-on: https://pdfium-review.googlesource.com/2956
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
---
 core/fpdfapi/font/cpdf_cidfont.cpp | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'core/fpdfapi/font')

diff --git a/core/fpdfapi/font/cpdf_cidfont.cpp b/core/fpdfapi/font/cpdf_cidfont.cpp
index 6d01538f54..b0ae05c8c5 100644
--- a/core/fpdfapi/font/cpdf_cidfont.cpp
+++ b/core/fpdfapi/font/cpdf_cidfont.cpp
@@ -113,6 +113,10 @@ const struct CIDTransform {
     {8818, 0, 129, 127, 0, 19, 114}, {8819, 0, 129, 127, 0, 218, 108},
 };
 
+// Boundary values to avoid integer overflow when multiplied by 1000.
+const long kMinCBox = -2147483;
+const long kMaxCBox = 2147483;
+
 CPDF_FontGlobals* GetFontGlobals() {
   return CPDF_ModuleMgr::Get()->GetPageModule()->GetFontGlobals();
 }
@@ -440,11 +444,15 @@ FX_RECT CPDF_CIDFont::GetCharBBox(uint32_t charcode) {
       int err = FXFT_Load_Glyph(face, glyph_index,
                                 FXFT_LOAD_IGNORE_GLOBAL_ADVANCE_WIDTH);
       if (!err) {
-        FXFT_BBox cbox;
         FXFT_Glyph glyph;
         err = FXFT_Get_Glyph(((FXFT_Face)face)->glyph, &glyph);
         if (!err) {
+          FXFT_BBox cbox;
           FXFT_Glyph_Get_CBox(glyph, FXFT_GLYPH_BBOX_PIXELS, &cbox);
+          cbox.xMin = std::min(std::max(cbox.xMin, kMinCBox), kMaxCBox);
+          cbox.xMax = std::min(std::max(cbox.xMax, kMinCBox), kMaxCBox);
+          cbox.yMin = std::min(std::max(cbox.yMin, kMinCBox), kMaxCBox);
+          cbox.yMax = std::min(std::max(cbox.yMax, kMinCBox), kMaxCBox);
           int pixel_size_x = ((FXFT_Face)face)->size->metrics.x_ppem;
           int pixel_size_y = ((FXFT_Face)face)->size->metrics.y_ppem;
           if (pixel_size_x == 0 || pixel_size_y == 0) {
-- 
cgit v1.2.3