Fix integer overflow in CPDF_DocPageData::GetFontFileStreamAcc().
BUG=chromium:925736
Change-Id: I2334277d11bf1f43ba7d0bad9a99b455e9be5f78
Reviewed-on: https://pdfium-review.googlesource.com/c/49330
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
diff --git a/core/fpdfapi/page/cpdf_docpagedata.cpp b/core/fpdfapi/page/cpdf_docpagedata.cpp
index 7b62467..bb7e558 100644
--- a/core/fpdfapi/page/cpdf_docpagedata.cpp
+++ b/core/fpdfapi/page/cpdf_docpagedata.cpp
@@ -465,10 +465,16 @@
return it->second;
const CPDF_Dictionary* pFontDict = pFontStream->GetDict();
- int32_t org_size = pFontDict->GetIntegerFor("Length1") +
- pFontDict->GetIntegerFor("Length2") +
- pFontDict->GetIntegerFor("Length3");
- org_size = std::max(org_size, 0);
+ int32_t len1 = pFontDict->GetIntegerFor("Length1");
+ int32_t len2 = pFontDict->GetIntegerFor("Length2");
+ int32_t len3 = pFontDict->GetIntegerFor("Length3");
+ uint32_t org_size = 0;
+ if (len1 >= 0 && len2 >= 0 && len3 >= 0) {
+ FX_SAFE_UINT32 safe_org_size = len1;
+ safe_org_size += len2;
+ safe_org_size += len3;
+ org_size = safe_org_size.ValueOrDefault(0);
+ }
auto pFontAcc = pdfium::MakeRetain<CPDF_StreamAcc>(pFontStream);
pFontAcc->LoadAllDataFilteredWithEstimatedSize(org_size);
diff --git a/core/fpdfapi/page/cpdf_docpagedata_embeddertest.cpp b/core/fpdfapi/page/cpdf_docpagedata_embeddertest.cpp
index 8ba1d48..e8bea02 100644
--- a/core/fpdfapi/page/cpdf_docpagedata_embeddertest.cpp
+++ b/core/fpdfapi/page/cpdf_docpagedata_embeddertest.cpp
@@ -14,3 +14,10 @@
RenderLoadedPage(page);
UnloadPage(page);
}
+
+TEST_F(CPDF_DocPageDataEmbedderTest, BUG_925736) {
+ EXPECT_TRUE(OpenDocument("bug_925736.pdf"));
+ FPDF_PAGE page = LoadPage(0);
+ ASSERT_TRUE(page);
+ UnloadPage(page);
+}
diff --git a/testing/resources/bug_925736.pdf b/testing/resources/bug_925736.pdf
new file mode 100644
index 0000000..429d53a
--- /dev/null
+++ b/testing/resources/bug_925736.pdf
Binary files differ
