Avoid integer overflow in RelocateTableRowCells(). -- also add some consts as appropriate. Bug: chromium:1164158 Change-Id: I3146a8f0fc45e1282548dad136379a8f87a7770d Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/77230 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Daniel Hosseinian <dhoss@chromium.org>
diff --git a/testing/resources/javascript/xfa_specific/bug_1164158.in b/testing/resources/javascript/xfa_specific/bug_1164158.in new file mode 100644 index 0000000..28b7eff --- /dev/null +++ b/testing/resources/javascript/xfa_specific/bug_1164158.in
@@ -0,0 +1,37 @@ +{{header}} +{{include ../../xfa_catalog_1_0.fragment}} +{{include ../../xfa_object_2_0.fragment}} +{{include ../../xfa_preamble_3_0.fragment}} +{{include ../../xfa_config_4_0.fragment}} +{{object 5 0}} << + {{streamlen}} +>> +stream +<template xmlns="http://www.xfa.org/schema/xfa-template/3.3/"> + <subform> + <pageSet relation="simplexPaginated"> + <pageArea pagePosition="last"> + <subform> + <subform layout="table"> + <subform layout="row"> + <field /> + <field colSpan="4294967295" presence="inactive" /> + </subform> + </subform> + </subform> + </pageArea> + <pageArea> + <contentArea /> + </pageArea> + </pageSet> + </subform> +</template> +endstream +endobj +{{include ../../xfa_locale_6_0.fragment}} +{{include ../../xfa_postamble_7_0.fragment}} +{{include ../../xfa_pages_8_0.fragment}} +{{xref}} +{{trailer}} +{{startxref}} +%%EOF
diff --git a/xfa/fxfa/layout/cxfa_contentlayoutprocessor.cpp b/xfa/fxfa/layout/cxfa_contentlayoutprocessor.cpp index 9c48284..1143c76 100644 --- a/xfa/fxfa/layout/cxfa_contentlayoutprocessor.cpp +++ b/xfa/fxfa/layout/cxfa_contentlayoutprocessor.cpp
@@ -190,22 +190,25 @@ XFA_AttributeValue eLayout) { bool bContainerWidthAutoSize = true; bool bContainerHeightAutoSize = true; - CFX_SizeF containerSize = CalculateContainerSpecifiedSize( + const CFX_SizeF containerSize = CalculateContainerSpecifiedSize( pLayoutRow->GetFormNode(), &bContainerWidthAutoSize, &bContainerHeightAutoSize); + CXFA_Margin* pMargin = pLayoutRow->GetFormNode()->GetFirstChildByClass<CXFA_Margin>( XFA_Element::Margin); - CFX_FloatRect inset = GetMarginInset(pMargin); - float fContentWidthLimit = + const CFX_FloatRect inset = GetMarginInset(pMargin); + + const float fContentWidthLimit = bContainerWidthAutoSize ? FLT_MAX : containerSize.width - inset.left - inset.right; - float fContentCurrentHeight = + const float fContentCurrentHeight = pLayoutRow->m_sSize.height - inset.top - inset.bottom; + float fContentCalculatedWidth = 0; float fContentCalculatedHeight = 0; float fCurrentColX = 0; - int32_t nCurrentColIdx = 0; + size_t nCurrentColIdx = 0; bool bMetWholeRowCell = false; for (CXFA_LayoutItem* pIter = pLayoutRow->GetFirstChild(); pIter; @@ -214,24 +217,28 @@ if (!pLayoutChild) continue; - int32_t nOriginalColSpan = + const int32_t nOriginalColSpan = pLayoutChild->GetFormNode()->JSObject()->GetInteger( XFA_Attribute::ColSpan); - if (nOriginalColSpan <= 0 && nOriginalColSpan != -1) + + size_t nColSpan; + if (nOriginalColSpan > 0) + nColSpan = static_cast<size_t>(nOriginalColSpan); + else if (nOriginalColSpan == -1) + nColSpan = rgSpecifiedColumnWidths.size(); + else continue; - int32_t nColSpan = nOriginalColSpan; + CHECK(nCurrentColIdx <= rgSpecifiedColumnWidths.size()); + const size_t remaining = rgSpecifiedColumnWidths.size() - nCurrentColIdx; + nColSpan = std::min(nColSpan, remaining); + float fColSpanWidth = 0; - if (nColSpan == -1 || - nCurrentColIdx + nColSpan > - pdfium::CollectionSize<int32_t>(rgSpecifiedColumnWidths)) { - nColSpan = pdfium::CollectionSize<int32_t>(rgSpecifiedColumnWidths) - - nCurrentColIdx; - } - for (int32_t i = 0; i < nColSpan; i++) + for (size_t i = 0; i < nColSpan; i++) fColSpanWidth += rgSpecifiedColumnWidths[nCurrentColIdx + i]; - if (nColSpan != nOriginalColSpan) { + if (nOriginalColSpan == -1 || + nColSpan != static_cast<size_t>(nOriginalColSpan)) { fColSpanWidth = bMetWholeRowCell ? 0 : std::max(fColSpanWidth, pLayoutChild->m_sSize.height);