Avoid integer overflow in CFX_Font::GetBBox() Compute coordinates as floats and saturated cast back to integers. Fixed: 348794706 Change-Id: Iaa265dc16eaa7f248094834d80e350074e44a8fd Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/121070 Reviewed-by: Lei Zhang <thestig@chromium.org> Reviewed-by: Thomas Sepez <tsepez@google.com> Commit-Queue: Tom Sepez <tsepez@chromium.org>

commit: 7ae20ab63ed6f3c0630555f7ceca3715684d15ea [log] [tgz]
author: Tom Sepez <tsepez@chromium.org> Tue Jun 25 22:10:35 2024 +0000
committer: Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Tue Jun 25 22:10:35 2024 +0000
tree: 4a8c4d45320b47a2d415509d2a10f8a0c8605c45
parent: 1288d8d49db2056d7944eff524d57d1152776322 [diff]
diff --git a/core/fxge/cfx_font.cpp b/core/fxge/cfx_font.cpp
index 62d919b..9edc7b3 100644
--- a/core/fxge/cfx_font.cpp
+++ b/core/fxge/cfx_font.cpp

@@ -436,10 +436,10 @@
   int em = m_Face->GetUnitsPerEm();
   if (em != 0) {
     FX_RECT& bbox = result.value();
-    bbox.left = (bbox.left * 1000) / em;
-    bbox.top = (bbox.top * 1000) / em;
-    bbox.right = (bbox.right * 1000) / em;
-    bbox.bottom = (bbox.bottom * 1000) / em;
+    bbox.left = pdfium::saturated_cast<int32_t>((bbox.left * 1000.0f) / em);
+    bbox.top = pdfium::saturated_cast<int32_t>((bbox.top * 1000.0f) / em);
+    bbox.right = pdfium::saturated_cast<int32_t>((bbox.right * 1000.0f) / em);
+    bbox.bottom = pdfium::saturated_cast<int32_t>((bbox.bottom * 1000.0f) / em);
   }
   return result;
 }
commit	7ae20ab63ed6f3c0630555f7ceca3715684d15ea	[log] [tgz]
author	Tom Sepez <tsepez@chromium.org>	Tue Jun 25 22:10:35 2024 +0000
committer	Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com>	Tue Jun 25 22:10:35 2024 +0000
tree	4a8c4d45320b47a2d415509d2a10f8a0c8605c45
parent	1288d8d49db2056d7944eff524d57d1152776322 [diff]