Add missing bounds check in FPDFFont_GetGlyphPath().
In the FPDFFont_GetGlyphPath() implementation, the GetCharPosList() call
can sometimes return an empty vector. Handle this case and avoid an out
of bounds access.
Bug: pdfium:1889
Change-Id: I65500332487ca933b432e8b424be7f57da54f1b3
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/98130
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/fpdfsdk/fpdf_edit_embeddertest.cpp b/fpdfsdk/fpdf_edit_embeddertest.cpp
index d4fe040..2131afb 100644
--- a/fpdfsdk/fpdf_edit_embeddertest.cpp
+++ b/fpdfsdk/fpdf_edit_embeddertest.cpp
@@ -2636,6 +2636,9 @@
FPDF_FONT font = FPDFTextObj_GetFont(text);
ASSERT_TRUE(font);
+ // bad glyph argument.
+ ASSERT_FALSE(FPDFFont_GetGlyphPath(font, 1, 12.0f));
+
// good glyphpath
FPDF_GLYPHPATH gpath = FPDFFont_GetGlyphPath(font, 's', 12.0f);
ASSERT_TRUE(gpath);
diff --git a/fpdfsdk/fpdf_edittext.cpp b/fpdfsdk/fpdf_edittext.cpp
index bfca086..a58b64fa 100644
--- a/fpdfsdk/fpdf_edittext.cpp
+++ b/fpdfsdk/fpdf_edittext.cpp
@@ -824,6 +824,8 @@
std::vector<TextCharPos> pos =
GetCharPosList(pdfium::make_span(&charcode, 1),
pdfium::span<const float>(), pFont, font_size);
+ if (pos.empty())
+ return nullptr;
CFX_Font* pCfxFont;
if (pos[0].m_FallbackFontPosition == -1) {