diff options
author | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-12-03 16:36:14 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-12-04 21:05:18 +0000 |
commit | 904fa70185f2552b12521c518d70dfdb8d963e50 (patch) | |
tree | 3e48927e0d4208097ececd00b520ebea70f03012 | |
parent | ed253f24557bbba635e4df3a916ce93ccdd73c18 (diff) | |
download | qtwebengine-chromium-904fa70185f2552b12521c518d70dfdb8d963e50.tar.gz |
[Backport] CVE-2019-5854
Fix an integer overflow in CPDF_RenderStatus::ProcessType3Text().
BUG=chromium:966263
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Change-Id: I756bd9226ac109ea33439c0b462fb32cd63ffab7
-rw-r--r-- | chromium/third_party/pdfium/core/fpdfapi/render/fpdf_render_text.cpp | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/chromium/third_party/pdfium/core/fpdfapi/render/fpdf_render_text.cpp b/chromium/third_party/pdfium/core/fpdfapi/render/fpdf_render_text.cpp index bf1d95ff740..fff7232c3b0 100644 --- a/chromium/third_party/pdfium/core/fpdfapi/render/fpdf_render_text.cpp +++ b/chromium/third_party/pdfium/core/fpdfapi/render/fpdf_render_text.cpp @@ -24,6 +24,7 @@ #include "core/fpdfapi/render/cpdf_renderoptions.h" #include "core/fpdfapi/render/cpdf_textrenderer.h" #include "core/fpdfapi/render/cpdf_type3cache.h" +#include "core/fxcrt/fx_safe_types.h" #include "core/fxge/cfx_facecache.h" #include "core/fxge/cfx_fxgedevice.h" #include "core/fxge/cfx_gemodule.h" @@ -281,8 +282,18 @@ bool CPDF_RenderStatus::ProcessType3Text(CPDF_TextObject* textobj, int origin_x = FXSYS_round(matrix.e); int origin_y = FXSYS_round(matrix.f); if (glyphs.empty()) { - m_pDevice->SetBitMask(&pBitmap->m_Bitmap, origin_x + pBitmap->m_Left, - origin_y - pBitmap->m_Top, fill_argb); + FX_SAFE_INT32 left = origin_x; + left += pBitmap->m_Left; + if (!left.IsValid()) + continue; + + FX_SAFE_INT32 top = origin_y; + top -= pBitmap->m_Top; + if (!top.IsValid()) + continue; + + m_pDevice->SetBitMask(&pBitmap->m_Bitmap, left.ValueOrDie(), + top.ValueOrDie(), fill_argb); } else { glyphs[iChar].m_pGlyph = pBitmap; glyphs[iChar].m_OriginX = origin_x; |