Bound cbox from tricky faces
The cbox values are long. We should make sure they are not too big before
putting them into FX_RECT, which holds integers. The bound is chosen to also
avoid overflow when multiplying by 1000.
BUG=chromium:699961
Change-Id: Ie4443848e0319348110f7215bd1c909ef19dad9f
Reviewed-on: https://pdfium-review.googlesource.com/2956
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
diff --git a/core/fpdfapi/font/cpdf_cidfont.cpp b/core/fpdfapi/font/cpdf_cidfont.cpp
index 6d01538..b0ae05c 100644
--- a/core/fpdfapi/font/cpdf_cidfont.cpp
+++ b/core/fpdfapi/font/cpdf_cidfont.cpp
@@ -113,6 +113,10 @@
{8818, 0, 129, 127, 0, 19, 114}, {8819, 0, 129, 127, 0, 218, 108},
};
+// Boundary values to avoid integer overflow when multiplied by 1000.
+const long kMinCBox = -2147483;
+const long kMaxCBox = 2147483;
+
CPDF_FontGlobals* GetFontGlobals() {
return CPDF_ModuleMgr::Get()->GetPageModule()->GetFontGlobals();
}
@@ -440,11 +444,15 @@
int err = FXFT_Load_Glyph(face, glyph_index,
FXFT_LOAD_IGNORE_GLOBAL_ADVANCE_WIDTH);
if (!err) {
- FXFT_BBox cbox;
FXFT_Glyph glyph;
err = FXFT_Get_Glyph(((FXFT_Face)face)->glyph, &glyph);
if (!err) {
+ FXFT_BBox cbox;
FXFT_Glyph_Get_CBox(glyph, FXFT_GLYPH_BBOX_PIXELS, &cbox);
+ cbox.xMin = std::min(std::max(cbox.xMin, kMinCBox), kMaxCBox);
+ cbox.xMax = std::min(std::max(cbox.xMax, kMinCBox), kMaxCBox);
+ cbox.yMin = std::min(std::max(cbox.yMin, kMinCBox), kMaxCBox);
+ cbox.yMax = std::min(std::max(cbox.yMax, kMinCBox), kMaxCBox);
int pixel_size_x = ((FXFT_Face)face)->size->metrics.x_ppem;
int pixel_size_y = ((FXFT_Face)face)->size->metrics.y_ppem;
if (pixel_size_x == 0 || pixel_size_y == 0) {
