commit 98a245c0d8ee3e403fbb13d90872239948d82abf
author Nicolas Pena <npm@chromium.org> Wed Aug 22 15:15:36 2018 +0000
committer Chromium commit bot <commit-bot@chromium.org> Wed Aug 22 15:15:36 2018 +0000
tree ff3c0e12c5de708a05e21493b4b2ccaf5aecc992
parent d4f4ce4b9c35db40d2dc3720ba07a83cff1b547d

Fix integer overflow in CPDF_CIDFont::GetCharBBox

Bug: chromium:875924
Change-Id: I85c86d3f90ee62b5593b0b20e44283c5056702ff
Reviewed-on: https://pdfium-review.googlesource.com/40730
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>

core/fpdfapi/font/cpdf_cidfont.cpp

diff --git a/core/fpdfapi/font/cpdf_cidfont.cpp b/core/fpdfapi/font/cpdf_cidfont.cpp
index e118a91e..a423daa 100644
--- a/core/fpdfapi/font/cpdf_cidfont.cpp
+++ b/core/fpdfapi/font/cpdf_cidfont.cpp
@@ -119,8 +119,11 @@
 };
 
 // Boundary values to avoid integer overflow when multiplied by 1000.
-const long kMinCBox = -2147483;
-const long kMaxCBox = 2147483;
+constexpr long kMinCBox = -2147483;
+constexpr long kMaxCBox = 2147483;
+
+// Boundary value to avoid integer overflow when adding 1/64th of the value.
+constexpr int kMaxRectTop = 2114445437;
 
 CPDF_FontGlobals* GetFontGlobals() {
   return CPDF_ModuleMgr::Get()->GetPageModule()->GetFontGlobals();
@@ -472,7 +475,10 @@
                        TT2PDF(FXFT_Get_Glyph_HoriBearingY(face) -
                                   FXFT_Get_Glyph_Height(face),
                               face));
-        rect.top += rect.top / 64;
+        if (rect.top <= kMaxRectTop)
+          rect.top += rect.top / 64;
+        else
+          rect.top = std::numeric_limits<int>::max();
       }
     }
   }