From 0cdb8434d6113eb84a68b6e3505eb73934ef17ce Mon Sep 17 00:00:00 2001
From: Ryan Harrison <rharrison@chromium.org>
Date: Tue, 6 Feb 2018 21:45:44 +0000
Subject: Use temporary iterator to avoid potential OOB

In the existing code pCharPos is manipulated directly without being
reset. This means that for the second iteration it is at the end of
the range instead of the start. This CL introduces temporary iterators
that are intialized to the value of pCharPos and then manipulated to
avoid this issue and having to reset pCharPos.

BUG=chromium:648177

Change-Id: I5c9344c1b67a015b01470a0dc337361552ffd447
Reviewed-on: https://pdfium-review.googlesource.com/25750
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
---
 xfa/fde/cfde_textout.cpp | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

(limited to 'xfa/fde/cfde_textout.cpp')

diff --git a/xfa/fde/cfde_textout.cpp b/xfa/fde/cfde_textout.cpp
index 19e7ae6934..ab5f9c0f85 100644
--- a/xfa/fde/cfde_textout.cpp
+++ b/xfa/fde/cfde_textout.cpp
@@ -44,12 +44,13 @@ bool CFDE_TextOut::DrawString(CFX_RenderDevice* device,
 
   CFX_Font* pFxFont = pFont->GetDevFont();
   if (FontStyleIsItalic(pFont->GetFontStyles()) && !pFxFont->IsItalic()) {
+    FXTEXT_CHARPOS* pCharPosIter = pCharPos;
     for (int32_t i = 0; i < iCount; ++i) {
       static const float mc = 0.267949f;
-      float* pAM = pCharPos->m_AdjustMatrix;
+      float* pAM = pCharPosIter->m_AdjustMatrix;
       pAM[2] = mc * pAM[0] + pAM[2];
       pAM[3] = mc * pAM[1] + pAM[3];
-      ++pCharPos;
+      ++pCharPosIter;
     }
   }
 
@@ -67,11 +68,12 @@ bool CFDE_TextOut::DrawString(CFX_RenderDevice* device,
   RetainPtr<CFGAS_GEFont> pCurFont;
   FXTEXT_CHARPOS* pCurCP = nullptr;
   int32_t iCurCount = 0;
+  FXTEXT_CHARPOS* pCharPosIter = pCharPos;
   for (int32_t i = 0; i < iCount; ++i) {
     RetainPtr<CFGAS_GEFont> pSTFont =
-        pFont->GetSubstFont(static_cast<int32_t>(pCharPos->m_GlyphIndex));
-    pCharPos->m_GlyphIndex &= 0x00FFFFFF;
-    pCharPos->m_bFontStyle = false;
+        pFont->GetSubstFont(static_cast<int32_t>(pCharPosIter->m_GlyphIndex));
+    pCharPosIter->m_GlyphIndex &= 0x00FFFFFF;
+    pCharPosIter->m_bFontStyle = false;
     if (pCurFont != pSTFont) {
       if (pCurFont) {
         pFxFont = pCurFont->GetDevFont();
@@ -88,12 +90,12 @@ bool CFDE_TextOut::DrawString(CFX_RenderDevice* device,
                                color, FXTEXT_CLEARTYPE);
       }
       pCurFont = pSTFont;
-      pCurCP = pCharPos;
+      pCurCP = pCharPosIter;
       iCurCount = 1;
     } else {
       ++iCurCount;
     }
-    ++pCharPos;
+    ++pCharPosIter;
   }
 
   bool bRet = true;
-- 
cgit v1.2.3