commit d20b2f05f1082d8197b671bde9d70370b271c0f8
author Lei Zhang <thestig@chromium.org> Mon Sep 19 21:43:04 2022 +0000
committer Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Mon Sep 19 21:43:04 2022 +0000
tree ac8934883c464c5fa1b35a3c5077e3210d09fbb5
parent 55c78b079be48d7e7a85648e569c110765eff283

Add missing bounds check in FPDFFont_GetGlyphPath().

In the FPDFFont_GetGlyphPath() implementation, the GetCharPosList() call
can sometimes return an empty vector. Handle this case and avoid an out
of bounds access.

Bug: pdfium:1889
Change-Id: I65500332487ca933b432e8b424be7f57da54f1b3
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/98130
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

fpdfsdk/fpdf_edit_embeddertest.cpp

diff --git a/fpdfsdk/fpdf_edit_embeddertest.cpp b/fpdfsdk/fpdf_edit_embeddertest.cpp
index d4fe040..2131afb 100644
--- a/fpdfsdk/fpdf_edit_embeddertest.cpp
+++ b/fpdfsdk/fpdf_edit_embeddertest.cpp
@@ -2636,6 +2636,9 @@
   FPDF_FONT font = FPDFTextObj_GetFont(text);
   ASSERT_TRUE(font);
 
+  // bad glyph argument.
+  ASSERT_FALSE(FPDFFont_GetGlyphPath(font, 1, 12.0f));
+
   // good glyphpath
   FPDF_GLYPHPATH gpath = FPDFFont_GetGlyphPath(font, 's', 12.0f);
   ASSERT_TRUE(gpath);

fpdfsdk/fpdf_edittext.cpp

diff --git a/fpdfsdk/fpdf_edittext.cpp b/fpdfsdk/fpdf_edittext.cpp
index bfca086..a58b64fa 100644
--- a/fpdfsdk/fpdf_edittext.cpp
+++ b/fpdfsdk/fpdf_edittext.cpp
@@ -824,6 +824,8 @@
   std::vector<TextCharPos> pos =
       GetCharPosList(pdfium::make_span(&charcode, 1),
                      pdfium::span<const float>(), pFont, font_size);
+  if (pos.empty())
+    return nullptr;
 
   CFX_Font* pCfxFont;
   if (pos[0].m_FallbackFontPosition == -1) {