Harden CFDE_TextOut::m_ttoLines.
The libc++ hardening project has not yet added bounds checks to
std::deque<>, so being hardening instances of its operator[]().
-- fix initialization while at it (no reason to start with 5 empty
elements, this is a mistake left over from a representation change
long ago where 5 used to mean an initial reservation size).
Bug: chromium:1463001
Change-Id: I6817d12d392df5c44a0f177506f9115cb55d086b
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/109410
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
diff --git a/xfa/fde/cfde_textout.cpp b/xfa/fde/cfde_textout.cpp
index af6ce53..d7582d8 100644
--- a/xfa/fde/cfde_textout.cpp
+++ b/xfa/fde/cfde_textout.cpp
@@ -22,6 +22,7 @@
#include "core/fxge/fx_font.h"
#include "core/fxge/text_char_pos.h"
#include "third_party/base/check.h"
+#include "third_party/base/check_op.h"
#include "third_party/base/numerics/safe_conversions.h"
#include "xfa/fgas/font/cfgas_gefont.h"
#include "xfa/fgas/layout/cfgas_txtbreak.h"
@@ -129,7 +130,7 @@
CFDE_TextOut::Piece::~Piece() = default;
CFDE_TextOut::CFDE_TextOut()
- : m_pTxtBreak(std::make_unique<CFGAS_TxtBreak>()), m_ttoLines(5) {}
+ : m_pTxtBreak(std::make_unique<CFGAS_TxtBreak>()) {}
CFDE_TextOut::~CFDE_TextOut() = default;
@@ -344,6 +345,7 @@
}
if (m_fLinePos + fLineStep > fLineStop) {
size_t iCurLine = bEndofLine ? m_iCurLine - 1 : m_iCurLine;
+ CHECK_LT(m_iCurLine, m_ttoLines.size());
m_ttoLines[iCurLine].set_new_reload(true);
bRet = true;
break;
@@ -394,6 +396,7 @@
}
if (j == chars_to_skip && !bReload) {
+ CHECK_LT(m_iCurLine, m_ttoLines.size());
m_ttoLines[m_iCurLine].set_new_reload(true);
} else if (j > chars_to_skip) {
Piece piece;
