commit a775d1fcac336e82b67fbf6067bcf3c8dbe00353
author Lei Zhang <thestig@chromium.org> Fri Aug 23 18:54:26 2019 +0000
committer Chromium commit bot <commit-bot@chromium.org> Fri Aug 23 18:54:26 2019 +0000
tree aaeaf144c5d5d51db4dc2746b71f4d62fa373c07
parent cf9147a73748793cdef322b2294c2aa1953256ae

Correctly account for Arabic characters in CFX_RTFBreak.

https://pdfium-review.googlesource.com/59794 added a sanity check to
make sure the Arabic characters count in CFX_BreakLine never goes
negative. Soon, pdf_bidi_fuzzer found out it can. This is because
https://pdfium-review.googlesource.com/32714 made it possible for
CFX_RTFBreak::AppendChar_Arabic() to return early and forget to
increment the count.

Fix this by always incrementing the count in AppendChar_Arabic().

Bug: chromium:996279
Change-Id: Id0de02e81fbb09dd8a5475212419c38310ec12db
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/59850
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

xfa/fgas/layout/cfx_rtfbreak.cpp

diff --git a/xfa/fgas/layout/cfx_rtfbreak.cpp b/xfa/fgas/layout/cfx_rtfbreak.cpp
index 40f5b84..2a09810 100644
--- a/xfa/fgas/layout/cfx_rtfbreak.cpp
+++ b/xfa/fgas/layout/cfx_rtfbreak.cpp
@@ -199,6 +199,8 @@
 }
 
 CFX_BreakType CFX_RTFBreak::AppendChar_Arabic(CFX_Char* pCurChar) {
+  m_pCurLine->IncrementArabicCharCount();
+
   CFX_Char* pLastChar = nullptr;
   wchar_t wForm;
   bool bAlef = false;
@@ -264,7 +266,6 @@
     return CFX_BreakType::None;
 
   m_pCurLine->m_iWidth = checked_width.ValueOrDie();
-  m_pCurLine->IncrementArabicCharCount();
 
   if (IsGreaterThanLineWidth(m_pCurLine->GetLineEnd()))
     return EndBreak(CFX_BreakType::Line);