[Backport] CVE-2019-5854

Fix an integer overflow in CPDF_RenderStatus::ProcessType3Text().

BUG=chromium:966263

Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Change-Id: I756bd9226ac109ea33439c0b462fb32cd63ffab7

1 files changed, 13 insertions, 2 deletions

diff --git a/chromium/third_party/pdfium/core/fpdfapi/render/fpdf_render_text.cpp b/chromium/third_party/pdfium/core/fpdfapi/render/fpdf_render_text.cpp
index bf1d95ff740..fff7232c3b0 100644
--- a/chromium/third_party/pdfium/core/fpdfapi/render/fpdf_render_text.cpp
+++ b/chromium/third_party/pdfium/core/fpdfapi/render/fpdf_render_text.cpp
@@ -24,6 +24,7 @@
 #include "core/fpdfapi/render/cpdf_renderoptions.h"
 #include "core/fpdfapi/render/cpdf_textrenderer.h"
 #include "core/fpdfapi/render/cpdf_type3cache.h"
+#include "core/fxcrt/fx_safe_types.h"
 #include "core/fxge/cfx_facecache.h"
 #include "core/fxge/cfx_fxgedevice.h"
 #include "core/fxge/cfx_gemodule.h"
@@ -281,8 +282,18 @@ bool CPDF_RenderStatus::ProcessType3Text(CPDF_TextObject* textobj,
         int origin_x = FXSYS_round(matrix.e);
         int origin_y = FXSYS_round(matrix.f);
         if (glyphs.empty()) {
-          m_pDevice->SetBitMask(&pBitmap->m_Bitmap, origin_x + pBitmap->m_Left,
-                                origin_y - pBitmap->m_Top, fill_argb);
+          FX_SAFE_INT32 left = origin_x;
+          left += pBitmap->m_Left;
+          if (!left.IsValid())
+            continue;
+
+          FX_SAFE_INT32 top = origin_y;
+          top -= pBitmap->m_Top;
+          if (!top.IsValid())
+            continue;
+
+          m_pDevice->SetBitMask(&pBitmap->m_Bitmap, left.ValueOrDie(),
+                                top.ValueOrDie(), fill_argb);
         } else {
           glyphs[iChar].m_pGlyph = pBitmap;
           glyphs[iChar].m_OriginX = origin_x;