Clamp rectangle values in FindTextlineFlowOrientation
The function clamps rectangle coordinates before casting to integer
to avoid float-cast-overflow undefined behavior, for instance if
pPageObj->GetRect().left > INT32_MAX.
This bug was found using an internal fuzz test.
Bug: b/274783814
PiperOrigin-RevId: 518669368
Change-Id: I7d05797fdb79d756ff880a6e1ce3391d5e9bc2ec
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/105370
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
diff --git a/core/fpdftext/cpdf_textpage.cpp b/core/fpdftext/cpdf_textpage.cpp
index 68c2211..697e202 100644
--- a/core/fpdftext/cpdf_textpage.cpp
+++ b/core/fpdftext/cpdf_textpage.cpp
@@ -30,6 +30,7 @@
#include "core/fxcrt/stl_util.h"
#include "third_party/base/check.h"
#include "third_party/base/check_op.h"
+#include "third_party/base/cxx17_backports.h"
namespace {
@@ -561,13 +562,14 @@
if (!pPageObj->IsText())
continue;
- int32_t minH = std::max(static_cast<int32_t>(pPageObj->GetRect().left), 0);
- int32_t maxH =
- std::min(static_cast<int32_t>(pPageObj->GetRect().right), nPageWidth);
- int32_t minV =
- std::max(static_cast<int32_t>(pPageObj->GetRect().bottom), 0);
- int32_t maxV =
- std::min(static_cast<int32_t>(pPageObj->GetRect().top), nPageHeight);
+ int32_t minH = static_cast<int32_t>(
+ pdfium::clamp<float>(pPageObj->GetRect().left, 0.0f, nPageWidth));
+ int32_t maxH = static_cast<int32_t>(
+ pdfium::clamp<float>(pPageObj->GetRect().right, 0.0f, nPageWidth));
+ int32_t minV = static_cast<int32_t>(
+ pdfium::clamp<float>(pPageObj->GetRect().bottom, 0.0f, nPageHeight));
+ int32_t maxV = static_cast<int32_t>(
+ pdfium::clamp<float>(pPageObj->GetRect().top, 0.0f, nPageHeight));
if (minH >= maxH || minV >= maxV)
continue;
