Fix another integer overflow in CFGAS_StringFormatter::ParseNum() And the fuzzer found another corner case. Bug: chromium:947188 Change-Id: I0ec5fb062882fb92686e9411d22e5880a8373982 Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/52654 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org>

commit: 8399c5151f923633cc79f40354a902e1ca86f02f [log] [tgz]
author: Tom Sepez <tsepez@chromium.org> Fri Mar 29 20:29:17 2019 +0000
committer: Chromium commit bot <commit-bot@chromium.org> Fri Mar 29 20:29:17 2019 +0000
tree: 00cd0ff539f384363e1b18c82a447b30b580d5c1
parent: dd77c862c907174ca8e3ef83df08b792db3abfcb [diff]
diff --git a/xfa/fgas/crt/cfgas_stringformatter.cpp b/xfa/fgas/crt/cfgas_stringformatter.cpp
index ab2dde8..02ace49 100644
--- a/xfa/fgas/crt/cfgas_stringformatter.cpp
+++ b/xfa/fgas/crt/cfgas_stringformatter.cpp

@@ -1420,9 +1420,10 @@
           while (cc < spSrcNum.size()) {
             if (!FXSYS_IsDecimalDigit(spSrcNum[cc]))
               break;
-            if (iExponent > std::numeric_limits<int>::max() / 10)
+            int digit = FXSYS_DecimalCharToInt(spSrcNum[cc]);
+            if (iExponent > (std::numeric_limits<int>::max() - digit) / 10)
               return false;
-            iExponent = iExponent * 10 + FXSYS_DecimalCharToInt(spSrcNum[cc]);
+            iExponent = iExponent * 10 + digit;
             cc++;
           }
           iExponent = bExpSign ? -iExponent : iExponent;
commit	8399c5151f923633cc79f40354a902e1ca86f02f	[log] [tgz]
author	Tom Sepez <tsepez@chromium.org>	Fri Mar 29 20:29:17 2019 +0000
committer	Chromium commit bot <commit-bot@chromium.org>	Fri Mar 29 20:29:17 2019 +0000
tree	00cd0ff539f384363e1b18c82a447b30b580d5c1
parent	dd77c862c907174ca8e3ef83df08b792db3abfcb [diff]