Fix integer overflow in CPDF_DocPageData::GetFontFileStreamAcc(). BUG=chromium:925736 Change-Id: I2334277d11bf1f43ba7d0bad9a99b455e9be5f78 Reviewed-on: https://pdfium-review.googlesource.com/c/49330 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
diff --git a/core/fpdfapi/page/cpdf_docpagedata.cpp b/core/fpdfapi/page/cpdf_docpagedata.cpp index 7b62467..bb7e558 100644 --- a/core/fpdfapi/page/cpdf_docpagedata.cpp +++ b/core/fpdfapi/page/cpdf_docpagedata.cpp
@@ -465,10 +465,16 @@ return it->second; const CPDF_Dictionary* pFontDict = pFontStream->GetDict(); - int32_t org_size = pFontDict->GetIntegerFor("Length1") + - pFontDict->GetIntegerFor("Length2") + - pFontDict->GetIntegerFor("Length3"); - org_size = std::max(org_size, 0); + int32_t len1 = pFontDict->GetIntegerFor("Length1"); + int32_t len2 = pFontDict->GetIntegerFor("Length2"); + int32_t len3 = pFontDict->GetIntegerFor("Length3"); + uint32_t org_size = 0; + if (len1 >= 0 && len2 >= 0 && len3 >= 0) { + FX_SAFE_UINT32 safe_org_size = len1; + safe_org_size += len2; + safe_org_size += len3; + org_size = safe_org_size.ValueOrDefault(0); + } auto pFontAcc = pdfium::MakeRetain<CPDF_StreamAcc>(pFontStream); pFontAcc->LoadAllDataFilteredWithEstimatedSize(org_size);
diff --git a/core/fpdfapi/page/cpdf_docpagedata_embeddertest.cpp b/core/fpdfapi/page/cpdf_docpagedata_embeddertest.cpp index 8ba1d48..e8bea02 100644 --- a/core/fpdfapi/page/cpdf_docpagedata_embeddertest.cpp +++ b/core/fpdfapi/page/cpdf_docpagedata_embeddertest.cpp
@@ -14,3 +14,10 @@ RenderLoadedPage(page); UnloadPage(page); } + +TEST_F(CPDF_DocPageDataEmbedderTest, BUG_925736) { + EXPECT_TRUE(OpenDocument("bug_925736.pdf")); + FPDF_PAGE page = LoadPage(0); + ASSERT_TRUE(page); + UnloadPage(page); +}
diff --git a/testing/resources/bug_925736.pdf b/testing/resources/bug_925736.pdf new file mode 100644 index 0000000..429d53a --- /dev/null +++ b/testing/resources/bug_925736.pdf Binary files differ