From b8627c9d13884d48943d8a7a5381eaf0bb2c08d9 Mon Sep 17 00:00:00 2001 From: ochang Date: Mon, 11 Apr 2016 13:47:41 -0700 Subject: Fix integer issues leading to out of bounds access in fx_ge_text.cpp. - Using |-skew| to get positive index, which doesn't work when skew is INT_MIN - Incorrect logic when determining when to use |-skew| as an index. R=tsepez@chromium.org,weili@chromium.org BUG=chromium:601362 Review URL: https://codereview.chromium.org/1875673004 --- core/fxge/ge/fx_ge_text.cpp | 26 ++++++++++++++++++-------- core/fxge/ge/fx_ge_text_embeddertest.cpp | 18 ++++++++++++++++++ 2 files changed, 36 insertions(+), 8 deletions(-) create mode 100644 core/fxge/ge/fx_ge_text_embeddertest.cpp (limited to 'core/fxge/ge') diff --git a/core/fxge/ge/fx_ge_text.cpp b/core/fxge/ge/fx_ge_text.cpp index 44ab9f7ab5..e074fa4f26 100644 --- a/core/fxge/ge/fx_ge_text.cpp +++ b/core/fxge/ge/fx_ge_text.cpp @@ -4,6 +4,8 @@ // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com +#include + #include "core/fxcodec/include/fx_codec.h" #include "core/fxge/ge/fx_text_int.h" #include "core/fxge/include/fx_freetype.h" @@ -1567,10 +1569,14 @@ CFX_GlyphBitmap* CFX_FaceCache::RenderGlyph(CFX_Font* pFont, skew = pSubstFont->m_ItalicAngle; } if (skew) { - // skew is nonpositive so -skew is used as the index. - skew = -skew <= static_cast(ANGLESKEW_ARRAY_SIZE) - ? -58 - : -g_AngleSkew[-skew]; + // |skew| is nonpositive so |-skew| is used as the index. We need to make + // sure |skew| != INT_MIN since -INT_MIN is undefined. + if (skew <= 0 && skew != std::numeric_limits::min() && + static_cast(-skew) < ANGLESKEW_ARRAY_SIZE) { + skew = -g_AngleSkew[-skew]; + } else { + skew = -58; + } if (pFont->IsVertical()) ft_matrix.yx += ft_matrix.yy * skew / 100; else @@ -1833,10 +1839,14 @@ CFX_PathData* CFX_Font::LoadGlyphPath(uint32_t glyph_index, int dest_width) { if (m_pSubstFont) { if (m_pSubstFont->m_ItalicAngle) { int skew = m_pSubstFont->m_ItalicAngle; - // skew is nonpositive so -skew is used as the index. - skew = -skew <= static_cast(ANGLESKEW_ARRAY_SIZE) - ? -58 - : -g_AngleSkew[-skew]; + // |skew| is nonpositive so |-skew| is used as the index. We need to make + // sure |skew| != INT_MIN since -INT_MIN is undefined. + if (skew <= 0 && skew != std::numeric_limits::min() && + static_cast(-skew) < ANGLESKEW_ARRAY_SIZE) { + skew = -g_AngleSkew[-skew]; + } else { + skew = -58; + } if (m_bVertical) ft_matrix.yx += ft_matrix.yy * skew / 100; else diff --git a/core/fxge/ge/fx_ge_text_embeddertest.cpp b/core/fxge/ge/fx_ge_text_embeddertest.cpp new file mode 100644 index 0000000000..045b6dc869 --- /dev/null +++ b/core/fxge/ge/fx_ge_text_embeddertest.cpp @@ -0,0 +1,18 @@ +// Copyright 2016 PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "testing/embedder_test.h" +#include "testing/gtest/include/gtest/gtest.h" + +class FXGETextEmbedderTest : public EmbedderTest {}; + +TEST_F(FXGETextEmbedderTest, BadItalic) { + // Shouldn't crash. + EXPECT_TRUE(OpenDocument("bug_601362.pdf")); + FPDF_PAGE page = LoadPage(0); + EXPECT_NE(nullptr, page); + FPDF_BITMAP bitmap = RenderPage(page); + FPDFBitmap_Destroy(bitmap); + UnloadPage(page); +} -- cgit v1.2.3