From 20c94774cc7efb3d90d3181539714f43fdcf01d2 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Mon, 19 Mar 2018 17:44:55 +0000
Subject: Avoid crashing in FPDFText_CountRects() for negative count values.

Treat values less than -1 as -1.

BUG=chromium:821305

Change-Id: Ieaced045473fa51097400e5af1286f0d3f4d0143
Reviewed-on: https://pdfium-review.googlesource.com/28732
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
---
 core/fpdftext/cpdf_textpage.cpp | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

(limited to 'core/fpdftext/cpdf_textpage.cpp')

diff --git a/core/fpdftext/cpdf_textpage.cpp b/core/fpdftext/cpdf_textpage.cpp
index e712549ceb..7315754919 100644
--- a/core/fpdftext/cpdf_textpage.cpp
+++ b/core/fpdftext/cpdf_textpage.cpp
@@ -237,15 +237,14 @@ int CPDF_TextPage::TextIndexFromCharIndex(int CharIndex) const {
 
 std::vector<CFX_FloatRect> CPDF_TextPage::GetRectArray(int start,
                                                        int nCount) const {
+  std::vector<CFX_FloatRect> rects;
   if (start < 0 || nCount == 0 || !m_bIsParsed)
-    return std::vector<CFX_FloatRect>();
+    return rects;
 
-  if (nCount + start > pdfium::CollectionSize<int>(m_CharList) ||
-      nCount == -1) {
-    nCount = pdfium::CollectionSize<int>(m_CharList) - start;
-  }
+  const int nCharListSize = CountChars();
+  if (nCount < 0 || start + nCount > nCharListSize)
+    nCount = nCharListSize - start;
 
-  std::vector<CFX_FloatRect> rectArray;
   CPDF_TextObject* pCurObj = nullptr;
   CFX_FloatRect rect;
   int curPos = start;
@@ -261,7 +260,7 @@ std::vector<CFX_FloatRect> CPDF_TextPage::GetRectArray(int start,
     if (!pCurObj)
       pCurObj = info_curchar.m_pTextObj.Get();
     if (pCurObj != info_curchar.m_pTextObj) {
-      rectArray.push_back(rect);
+      rects.push_back(rect);
       pCurObj = info_curchar.m_pTextObj.Get();
       bFlagNewRect = true;
     }
@@ -304,8 +303,8 @@ std::vector<CFX_FloatRect> CPDF_TextPage::GetRectArray(int start,
       rect.bottom = std::min(rect.bottom, info_curchar.m_CharBox.bottom);
     }
   }
-  rectArray.push_back(rect);
-  return rectArray;
+  rects.push_back(rect);
+  return rects;
 }
 
 int CPDF_TextPage::GetIndexAtPos(const CFX_PointF& point,
-- 
cgit v1.2.3