diff options
author | Lei Zhang <thestig@chromium.org> | 2020-07-28 15:40:10 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-10-22 15:46:43 +0000 |
commit | 027c3d7bae7f3eb85e1c80d0c57bedbb93663d69 (patch) | |
tree | 00f68d15b2a7bb5001a15d50ea14be4b216f5905 | |
parent | 466da17a0cdc34024651836fe9d97c8ffcd920fc (diff) | |
download | qtwebengine-chromium-027c3d7bae7f3eb85e1c80d0c57bedbb93663d69.tar.gz |
[Backport] CVE-2020-15989: Uninitialized Use in PDFium
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2321339:
Check FPDFText_GetCharBox() return value in pdfium_page.cc.
Make sure the call succeeds before continuing, to avoid potentially
using uninitialized values.
Bug: 1108351
Change-Id: Ife6f8b861a53cad0bbaec8130eef0dd1341ab71c
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/pdf/pdfium/pdfium_page.cc | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/chromium/pdf/pdfium/pdfium_page.cc b/chromium/pdf/pdfium/pdfium_page.cc index d9f8956fa91..99036de3119 100644 --- a/chromium/pdf/pdfium/pdfium_page.cc +++ b/chromium/pdf/pdfium/pdfium_page.cc @@ -87,7 +87,9 @@ pp::FloatRect GetFloatCharRectInPixels(FPDF_PAGE page, double right; double bottom; double top; - FPDFText_GetCharBox(text_page, index, &left, &right, &bottom, &top); + if (!FPDFText_GetCharBox(text_page, index, &left, &right, &bottom, &top)) + return pp::FloatRect(); + if (right < left) std::swap(left, right); if (bottom < top) @@ -847,7 +849,10 @@ int PDFiumPage::GetLink(int char_index, LinkTarget* target) { double right; double bottom; double top; - FPDFText_GetCharBox(GetTextPage(), char_index, &left, &right, &bottom, &top); + if (!FPDFText_GetCharBox(GetTextPage(), char_index, &left, &right, &bottom, + &top)) { + return -1; + } pp::Point origin(PageToScreen(pp::Point(), 1.0, left, top, right, bottom, PageOrientation::kOriginal) |