Limit string width in CFXJSE_FormCalcContext::Space()
Bug: chromium:1289658
Change-Id: I3934c468b41fa615741c230be3483aba608b0e93
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/89830
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
diff --git a/fxjs/xfa/cfxjse_formcalc_context.cpp b/fxjs/xfa/cfxjse_formcalc_context.cpp
index f968626..10a0743 100644
--- a/fxjs/xfa/cfxjse_formcalc_context.cpp
+++ b/fxjs/xfa/cfxjse_formcalc_context.cpp
@@ -51,6 +51,9 @@
namespace {
+// Maximum number of characters Acrobat can fit in a text box.
+constexpr int kMaxCharCount = 15654908;
+
const double kFinancialPrecision = 0.00000001;
const wchar_t kStrCode[] = L"0123456789abcdef";
@@ -4160,8 +4163,6 @@
return;
}
- // Maximum number of characters Acrobat can fit in a text box.
- constexpr int kMaxCharCount = 15654908;
int count = std::max(0, ValueToInteger(info.GetIsolate(), argOne));
if (count > kMaxCharCount) {
ToFormCalcContext(pThis)->ThrowException("String too long.");
@@ -4193,6 +4194,10 @@
if (argc > 1) {
v8::Local<v8::Value> widthValue = GetSimpleValue(info, 1);
iWidth = static_cast<int32_t>(ValueToFloat(info.GetIsolate(), widthValue));
+ if (iWidth > kMaxCharCount) {
+ ToFormCalcContext(pThis)->ThrowException("String too long.");
+ return;
+ }
}
int32_t iPrecision = 0;
diff --git a/fxjs/xfa/cfxjse_formcalc_context_embeddertest.cpp b/fxjs/xfa/cfxjse_formcalc_context_embeddertest.cpp
index 1ced8f6..c23f5b2 100644
--- a/fxjs/xfa/cfxjse_formcalc_context_embeddertest.cpp
+++ b/fxjs/xfa/cfxjse_formcalc_context_embeddertest.cpp
@@ -819,6 +819,7 @@
// Error cases.
ExecuteExpectError("Str()");
ExecuteExpectError("Str(1, 2, 3, 4)");
+ ExecuteExpectError("Str(42, 15654909)");
ExecuteExpectNull("Str( $)");
}
