Google Git
Sign in
pdfium/pdfium.git/refs/heads/chromium/6446^!/.
commit
1a5ec9fb4eb1642f9976f095c13f4772b8d69e03
[log]
author
Stefan Smolen <ssmole@microsoft.com>
Tue Apr 16 00:00:38 2024 +0000
committer
Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com>
Tue Apr 16 00:00:38 2024 +0000
tree
409682a67c08d16e4a7308fe144a92ebe98e79bd
parent
fde20e170bebdde902d38dd577a0543e11b6d4d4 [diff]
Gate GDI APIs behind IsUser32AndGdi32Available in cpdf_interactiveform.cpp

Under win32k lockdown, which is detectable using the
IsUser32AndGdi32Available helper function and used in chromium renderer
and service sandboxes, APIs which call into win32k.sys like GetDC,
EnumFontFamiliesExW, ReleaseDC will no-op in the kernel and fail or
return no data.

We're planning make chromium changes that will cause the DLLs hosting
these APIs to fail to load (and crash in the delayload runtime) under
win32k lockdown, adding these if checks will prevent us from trying to
load the dlls.

By only ever returning kDefaultAnsiFontName or an empty string from
GetNativeFontName, then we never call AddWindowsFont in AddNativeFont
either, as AddNativeFont also calls GDI APIs.

Bug: pdfium:2140
Change-Id: I0ded3ace2cde39d4f9f4529707af616daed44366
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/118172
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Thomas Sepez <tsepez@google.com>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

diff --git a/core/fpdfdoc/cpdf_interactiveform.cpp b/core/fpdfdoc/cpdf_interactiveform.cpp
index fe7c07a..5a01ad2 100644
--- a/core/fpdfdoc/cpdf_interactiveform.cpp
+++ b/core/fpdfdoc/cpdf_interactiveform.cpp

@@ -36,6 +36,10 @@
 #include "core/fxcrt/stl_util.h"
 #include "core/fxge/fx_font.h"
 
+#if BUILDFLAG(IS_WIN)
+#include "core/fxcrt/win/win_util.h"
+#endif
+
 namespace {
 
 const int nMaxRecursion = 32;
@@ -89,9 +93,16 @@
 #if BUILDFLAG(IS_WIN)
   LOGFONTA lf = {};
   if (charSet == FX_Charset::kANSI) {
-    csFontName = CFX_Font::kDefaultAnsiFontName;
-    return csFontName;
+    return CFX_Font::kDefaultAnsiFontName;
   }
+
+  if (!pdfium::IsUser32AndGdi32Available()) {
+    // Without GDI32 and User32, GetDC / EnumFontFamiliesExW / ReleaseDC all
+    // fail, which is called by RetrieveSpecificFont. We won't be able to look
+    // up native fonts without GDI.
+    return ByteString();
+  }
+
   bool bRet = false;
   const ByteString default_font_name =
       CFX_Font::GetDefaultFontNameByCharset(charSet);