Check for integer overflows in AdjustGlyphSpace().
BUG=chromium:914983
Change-Id: I90f0ae85e547efbe52a27d32a06af10ed65d6722
Reviewed-on: https://pdfium-review.googlesource.com/c/50112
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/core/fxge/cfx_renderdevice.cpp b/core/fxge/cfx_renderdevice.cpp
index ed7949a..17770b1 100644
--- a/core/fxge/cfx_renderdevice.cpp
+++ b/core/fxge/cfx_renderdevice.cpp
@@ -39,7 +39,7 @@
return;
for (size_t i = glyphs.size() - 1; i > 1; --i) {
- TextGlyphPos& next = glyphs[i];
+ const TextGlyphPos& next = glyphs[i];
int next_origin = bVertical ? next.m_Origin.y : next.m_Origin.x;
float next_origin_f = bVertical ? next.m_fOrigin.y : next.m_fOrigin.x;
@@ -48,11 +48,23 @@
float current_origin_f =
bVertical ? current.m_fOrigin.y : current.m_fOrigin.x;
- int space = next_origin - current_origin;
+ FX_SAFE_INT32 safe_space = next_origin;
+ safe_space -= current_origin;
+ if (!safe_space.IsValid())
+ continue;
+
+ int space = safe_space.ValueOrDie();
float space_f = next_origin_f - current_origin_f;
float error = fabs(space_f) - fabs(static_cast<float>(space));
- if (error > 0.5f)
- current_origin += space > 0 ? -1 : 1;
+ if (error <= 0.5f)
+ continue;
+
+ FX_SAFE_INT32 safe_origin = current_origin;
+ safe_origin += space > 0 ? -1 : 1;
+ if (!safe_origin.IsValid())
+ continue;
+
+ current_origin = safe_origin.ValueOrDie();
}
}