Fix an integer overflow in CPDF_RenderStatus::ProcessType3Text().
BUG=chromium:966263
Change-Id: I4a8afc06d12cdc50530d1b3fea9a623af6bca799
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/55351
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/core/fpdfapi/render/cpdf_renderstatus.cpp b/core/fpdfapi/render/cpdf_renderstatus.cpp
index dce3828..38dc6c5 100644
--- a/core/fpdfapi/render/cpdf_renderstatus.cpp
+++ b/core/fpdfapi/render/cpdf_renderstatus.cpp
@@ -1901,9 +1901,18 @@
CFX_Point origin(FXSYS_round(matrix.e), FXSYS_round(matrix.f));
if (glyphs.empty()) {
- m_pDevice->SetBitMask(pBitmap->GetBitmap(),
- origin.x + pBitmap->left(),
- origin.y - pBitmap->top(), fill_argb);
+ FX_SAFE_INT32 left = origin.x;
+ left += pBitmap->left();
+ if (!left.IsValid())
+ continue;
+
+ FX_SAFE_INT32 top = origin.y;
+ top -= pBitmap->top();
+ if (!top.IsValid())
+ continue;
+
+ m_pDevice->SetBitMask(pBitmap->GetBitmap(), left.ValueOrDie(),
+ top.ValueOrDie(), fill_argb);
} else {
glyphs[iChar].m_pGlyph = pBitmap;
glyphs[iChar].m_Origin = origin;