Limit number of payment periods for FormCalc Pmt() function.
Use the same limit as Acrobat Reader, thus avoiding a potential integer
overflow.
Bug: chromium:1293179
Change-Id: I290cf49d9041010fb26b22b9398358ca867346e7
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/90173
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/fxjs/xfa/cfxjse_formcalc_context.cpp b/fxjs/xfa/cfxjse_formcalc_context.cpp
index 10a0743..2d2dbb9 100644
--- a/fxjs/xfa/cfxjse_formcalc_context.cpp
+++ b/fxjs/xfa/cfxjse_formcalc_context.cpp
@@ -11,6 +11,7 @@
#include <stdlib.h>
#include <algorithm>
+#include <limits>
#include <memory>
#include <utility>
#include <vector>
@@ -2919,7 +2920,8 @@
float nPrincipal = ValueToFloat(info.GetIsolate(), argOne);
float nRate = ValueToFloat(info.GetIsolate(), argTwo);
float nPeriods = ValueToFloat(info.GetIsolate(), argThree);
- if ((nPrincipal <= 0) || (nRate <= 0) || (nPeriods <= 0)) {
+ if (nPrincipal <= 0 || nRate <= 0 || nPeriods <= 0 ||
+ nPeriods > static_cast<float>(std::numeric_limits<int32_t>::max())) {
pContext->ThrowArgumentMismatchException();
return;
}
diff --git a/fxjs/xfa/cfxjse_formcalc_context_embeddertest.cpp b/fxjs/xfa/cfxjse_formcalc_context_embeddertest.cpp
index c23f5b2..79c8939 100644
--- a/fxjs/xfa/cfxjse_formcalc_context_embeddertest.cpp
+++ b/fxjs/xfa/cfxjse_formcalc_context_embeddertest.cpp
@@ -501,6 +501,10 @@
ASSERT_TRUE(OpenDocument("simple_xfa.pdf"));
ExecuteExpectFloat("Pmt(25000, 0.085, 12)", 3403.82145169876f);
+
+ // https://crbug.com/1293179
+ ExecuteExpectError("Pmt(2, 2, 99999997952)");
+
#if 0
// TODO(thestig): Investigate this case.
ExecuteExpectFloat("Pmt(150000, 0.0475 / 12, 25 * 12)", 855.17604207164f);
