Avoid integer overflow in RelocateTableRowCells().
-- also add some consts as appropriate.
Bug: chromium:1164158
Change-Id: I3146a8f0fc45e1282548dad136379a8f87a7770d
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/77230
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Daniel Hosseinian <dhoss@chromium.org>
diff --git a/testing/resources/javascript/xfa_specific/bug_1164158.in b/testing/resources/javascript/xfa_specific/bug_1164158.in
new file mode 100644
index 0000000..28b7eff
--- /dev/null
+++ b/testing/resources/javascript/xfa_specific/bug_1164158.in
@@ -0,0 +1,37 @@
+{{header}}
+{{include ../../xfa_catalog_1_0.fragment}}
+{{include ../../xfa_object_2_0.fragment}}
+{{include ../../xfa_preamble_3_0.fragment}}
+{{include ../../xfa_config_4_0.fragment}}
+{{object 5 0}} <<
+ {{streamlen}}
+>>
+stream
+<template xmlns="http://www.xfa.org/schema/xfa-template/3.3/">
+ <subform>
+ <pageSet relation="simplexPaginated">
+ <pageArea pagePosition="last">
+ <subform>
+ <subform layout="table">
+ <subform layout="row">
+ <field />
+ <field colSpan="4294967295" presence="inactive" />
+ </subform>
+ </subform>
+ </subform>
+ </pageArea>
+ <pageArea>
+ <contentArea />
+ </pageArea>
+ </pageSet>
+ </subform>
+</template>
+endstream
+endobj
+{{include ../../xfa_locale_6_0.fragment}}
+{{include ../../xfa_postamble_7_0.fragment}}
+{{include ../../xfa_pages_8_0.fragment}}
+{{xref}}
+{{trailer}}
+{{startxref}}
+%%EOF
diff --git a/xfa/fxfa/layout/cxfa_contentlayoutprocessor.cpp b/xfa/fxfa/layout/cxfa_contentlayoutprocessor.cpp
index 9c48284..1143c76 100644
--- a/xfa/fxfa/layout/cxfa_contentlayoutprocessor.cpp
+++ b/xfa/fxfa/layout/cxfa_contentlayoutprocessor.cpp
@@ -190,22 +190,25 @@
XFA_AttributeValue eLayout) {
bool bContainerWidthAutoSize = true;
bool bContainerHeightAutoSize = true;
- CFX_SizeF containerSize = CalculateContainerSpecifiedSize(
+ const CFX_SizeF containerSize = CalculateContainerSpecifiedSize(
pLayoutRow->GetFormNode(), &bContainerWidthAutoSize,
&bContainerHeightAutoSize);
+
CXFA_Margin* pMargin =
pLayoutRow->GetFormNode()->GetFirstChildByClass<CXFA_Margin>(
XFA_Element::Margin);
- CFX_FloatRect inset = GetMarginInset(pMargin);
- float fContentWidthLimit =
+ const CFX_FloatRect inset = GetMarginInset(pMargin);
+
+ const float fContentWidthLimit =
bContainerWidthAutoSize ? FLT_MAX
: containerSize.width - inset.left - inset.right;
- float fContentCurrentHeight =
+ const float fContentCurrentHeight =
pLayoutRow->m_sSize.height - inset.top - inset.bottom;
+
float fContentCalculatedWidth = 0;
float fContentCalculatedHeight = 0;
float fCurrentColX = 0;
- int32_t nCurrentColIdx = 0;
+ size_t nCurrentColIdx = 0;
bool bMetWholeRowCell = false;
for (CXFA_LayoutItem* pIter = pLayoutRow->GetFirstChild(); pIter;
@@ -214,24 +217,28 @@
if (!pLayoutChild)
continue;
- int32_t nOriginalColSpan =
+ const int32_t nOriginalColSpan =
pLayoutChild->GetFormNode()->JSObject()->GetInteger(
XFA_Attribute::ColSpan);
- if (nOriginalColSpan <= 0 && nOriginalColSpan != -1)
+
+ size_t nColSpan;
+ if (nOriginalColSpan > 0)
+ nColSpan = static_cast<size_t>(nOriginalColSpan);
+ else if (nOriginalColSpan == -1)
+ nColSpan = rgSpecifiedColumnWidths.size();
+ else
continue;
- int32_t nColSpan = nOriginalColSpan;
+ CHECK(nCurrentColIdx <= rgSpecifiedColumnWidths.size());
+ const size_t remaining = rgSpecifiedColumnWidths.size() - nCurrentColIdx;
+ nColSpan = std::min(nColSpan, remaining);
+
float fColSpanWidth = 0;
- if (nColSpan == -1 ||
- nCurrentColIdx + nColSpan >
- pdfium::CollectionSize<int32_t>(rgSpecifiedColumnWidths)) {
- nColSpan = pdfium::CollectionSize<int32_t>(rgSpecifiedColumnWidths) -
- nCurrentColIdx;
- }
- for (int32_t i = 0; i < nColSpan; i++)
+ for (size_t i = 0; i < nColSpan; i++)
fColSpanWidth += rgSpecifiedColumnWidths[nCurrentColIdx + i];
- if (nColSpan != nOriginalColSpan) {
+ if (nOriginalColSpan == -1 ||
+ nColSpan != static_cast<size_t>(nOriginalColSpan)) {
fColSpanWidth = bMetWholeRowCell ? 0
: std::max(fColSpanWidth,
pLayoutChild->m_sSize.height);