Fix integer overflow in CPDF_Font::FallbackFontFromCharcode
Bug: chromium:831583
Change-Id: Idc980ef47cdd942bddc75d9b7fe4a56bdeacdc1a
Reviewed-on: https://pdfium-review.googlesource.com/30670
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
diff --git a/core/fpdfapi/font/cpdf_font.cpp b/core/fpdfapi/font/cpdf_font.cpp
index f636e93..ad7eeea 100644
--- a/core/fpdfapi/font/cpdf_font.cpp
+++ b/core/fpdfapi/font/cpdf_font.cpp
@@ -452,9 +452,11 @@
uint32_t CPDF_Font::FallbackFontFromCharcode(uint32_t charcode) {
if (m_FontFallbacks.empty()) {
m_FontFallbacks.push_back(pdfium::MakeUnique<CFX_Font>());
+ pdfium::base::CheckedNumeric<int> safeWeight = m_StemV;
+ safeWeight *= 5;
m_FontFallbacks[0]->LoadSubst("Arial", IsTrueTypeFont(), m_Flags,
- m_StemV * 5, m_ItalicAngle, 0,
- IsVertWriting());
+ safeWeight.ValueOrDefault(FXFONT_FW_NORMAL),
+ m_ItalicAngle, 0, IsVertWriting());
}
return 0;
}