Fix integer overflows in cfx_font.cpp.

Bug: chromium:775587
Change-Id: If927ebc0080a53d1c67f0aee5cab525fbcc24260
Reviewed-on: https://pdfium-review.googlesource.com/16290
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
diff --git a/core/fxge/cfx_font.cpp b/core/fxge/cfx_font.cpp
index 11fa457..da6b0e0 100644
--- a/core/fxge/cfx_font.cpp
+++ b/core/fxge/cfx_font.cpp
@@ -28,6 +28,9 @@
 
 namespace {
 
+constexpr int kThousandthMinInt = std::numeric_limits<int>::min() / 1000;
+constexpr int kThousandthMaxInt = std::numeric_limits<int>::max() / 1000;
+
 struct OUTLINE_PARAMS {
   CFX_PathData* m_pPath;
   int m_CurX;
@@ -343,9 +346,11 @@
   if (err)
     return 0;
 
-  int width = EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face),
-                        FXFT_Get_Glyph_HoriAdvance(m_Face));
-  return width;
+  int horiAdvance = FXFT_Get_Glyph_HoriAdvance(m_Face);
+  if (horiAdvance < kThousandthMinInt || horiAdvance > kThousandthMaxInt)
+    return 0;
+
+  return EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face), horiAdvance);
 }
 
 bool CFX_Font::LoadEmbedded(const uint8_t* data, uint32_t size) {
@@ -366,16 +371,22 @@
   if (!m_Face)
     return 0;
 
-  return EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face),
-                   FXFT_Get_Face_Ascender(m_Face));
+  int ascender = FXFT_Get_Face_Ascender(m_Face);
+  if (ascender < kThousandthMinInt || ascender > kThousandthMaxInt)
+    return 0;
+
+  return EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face), ascender);
 }
 
 int CFX_Font::GetDescent() const {
   if (!m_Face)
     return 0;
 
-  return EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face),
-                   FXFT_Get_Face_Descender(m_Face));
+  int descender = FXFT_Get_Face_Descender(m_Face);
+  if (descender < kThousandthMinInt || descender > kThousandthMaxInt)
+    return 0;
+
+  return EM_ADJUST(FXFT_Get_Face_UnitsPerEM(m_Face), descender);
 }
 
 bool CFX_Font::GetGlyphBBox(uint32_t glyph_index, FX_RECT& bbox) {