commit b83d870b007f25b18e6b7a4ce2a417420d4dcb89
author Nicolas Pena <npm@chromium.org> Fri Jun 09 17:55:51 2017 -0400
committer Chromium commit bot <commit-bot@chromium.org> Fri Jun 09 22:18:01 2017 +0000
tree ac93373d9041028aca7d50d473c2cf949331a94b
parent 897c4b922f1fb50b942cda6cab0f4605f8afac3c

Fix types for FT_ULong chars in fpdfedittext

FXFT_Get_First(Next)_Char can return large unsigned values. This CL avoids
integer overflow and adds some missing checks regarding the ranges of the
values returned by those methods.

Bug: chromium:727086
Change-Id: Ice7bbb3759e384b7174680a82a2a9380c3611382
Reviewed-on: https://pdfium-review.googlesource.com/6436
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>

fpdfsdk/fpdfedittext.cpp

diff --git a/fpdfsdk/fpdfedittext.cpp b/fpdfsdk/fpdfedittext.cpp
index 3deae7e..1c3b22d 100644
--- a/fpdfsdk/fpdfedittext.cpp
+++ b/fpdfsdk/fpdfedittext.cpp
@@ -231,6 +231,8 @@
                                         std::move(pDict));
 }
 
+const uint32_t kMaxSimpleFontChar = 0xFF;
+
 void* LoadSimpleFont(CPDF_Document* pDoc,
                      std::unique_ptr<CFX_Font> pFont,
                      const uint8_t* data,
@@ -246,21 +248,23 @@
   fontDict->SetNewFor<CPDF_Name>("BaseFont", name);
 
   uint32_t glyphIndex;
-  int currentChar = FXFT_Get_First_Char(pFont->GetFace(), &glyphIndex);
-  fontDict->SetNewFor<CPDF_Number>("FirstChar", currentChar);
+  uint32_t currentChar = FXFT_Get_First_Char(pFont->GetFace(), &glyphIndex);
+  if (currentChar > kMaxSimpleFontChar || glyphIndex == 0)
+    return nullptr;
+  fontDict->SetNewFor<CPDF_Number>("FirstChar", static_cast<int>(currentChar));
   CPDF_Array* widthsArray = pDoc->NewIndirect<CPDF_Array>();
   while (true) {
     widthsArray->AddNew<CPDF_Number>(pFont->GetGlyphWidth(glyphIndex));
-    int nextChar =
+    uint32_t nextChar =
         FXFT_Get_Next_Char(pFont->GetFace(), currentChar, &glyphIndex);
     // Simple fonts have 1-byte charcodes only.
-    if (nextChar > 0xff || glyphIndex == 0)
+    if (nextChar > kMaxSimpleFontChar || glyphIndex == 0)
       break;
-    for (int i = currentChar + 1; i < nextChar; i++)
+    for (uint32_t i = currentChar + 1; i < nextChar; i++)
       widthsArray->AddNew<CPDF_Number>(0);
     currentChar = nextChar;
   }
-  fontDict->SetNewFor<CPDF_Number>("LastChar", currentChar);
+  fontDict->SetNewFor<CPDF_Number>("LastChar", static_cast<int>(currentChar));
   fontDict->SetNewFor<CPDF_Reference>("Widths", pDoc, widthsArray->GetObjNum());
   CPDF_Dictionary* fontDesc =
       LoadFontDesc(pDoc, name, pFont.get(), data, size, font_type);
@@ -270,6 +274,8 @@
   return pDoc->LoadFont(fontDict);
 }
 
+const uint32_t kMaxUnicode = 0x10FFFF;
+
 void* LoadCompositeFont(CPDF_Document* pDoc,
                         std::unique_ptr<CFX_Font> pFont,
                         const uint8_t* data,
@@ -309,15 +315,15 @@
                                       fontDesc->GetObjNum());
 
   uint32_t glyphIndex;
-  int currentChar = FXFT_Get_First_Char(pFont->GetFace(), &glyphIndex);
+  uint32_t currentChar = FXFT_Get_First_Char(pFont->GetFace(), &glyphIndex);
   // If it doesn't have a single char, just fail
-  if (glyphIndex == 0)
+  if (glyphIndex == 0 || currentChar > kMaxUnicode)
     return nullptr;
 
   std::map<uint32_t, uint32_t> to_unicode;
   std::map<uint32_t, uint32_t> widths;
   while (true) {
-    if (currentChar > 0x10FFFF)
+    if (currentChar > kMaxUnicode)
       break;
 
     widths[glyphIndex] = pFont->GetGlyphWidth(glyphIndex);