Fix integer issues leading to out of bounds access in fx_ge_text.cpp.

core/fxge/ge/fx_ge_text.cpp

 // Copyright 2014 PDFium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
+#include <limits>
+
 #include "core/fxcodec/include/fx_codec.h"
 #include "core/fxge/ge/fx_text_int.h"
 #include "core/fxge/include/fx_freetype.h"
 #include "core/fxge/include/fx_ge.h"
 
 #ifdef _SKIA_SUPPORT_
 #include "third_party/skia/include/core/SkStream.h"
 #include "third_party/skia/include/core/SkTypeface.h"
 #endif
 
@@ skipping 1543 matching lines @@
   const CFX_SubstFont* pSubstFont = pFont->GetSubstFont();
   if (pSubstFont) {
     bUseCJKSubFont = pSubstFont->m_bSubstOfCJK && bFontStyle;
     int skew = 0;
     if (bUseCJKSubFont) {
       skew = pSubstFont->m_bItlicCJK ? -15 : 0;
     } else {
       skew = pSubstFont->m_ItalicAngle;
     }
     if (skew) {
-      // skew is nonpositive so -skew is used as the index.
-      skew = -skew <= static_cast<int>(ANGLESKEW_ARRAY_SIZE)
-                 ? -58
-                 : -g_AngleSkew[-skew];
+      // |skew| is nonpositive so |-skew| is used as the index. We need to make
+      // sure |skew| != INT_MIN since -INT_MIN is undefined.
+      if (skew <= 0 && skew != std::numeric_limits<int>::min() &&
+          static_cast<size_t>(-skew) < ANGLESKEW_ARRAY_SIZE) {
+        skew = -g_AngleSkew[-skew];
+      } else {
+        skew = -58;
+      }
       if (pFont->IsVertical())
         ft_matrix.yx += ft_matrix.yy * skew / 100;
       else
         ft_matrix.xy += -ft_matrix.xx * skew / 100;
     }
     if (pSubstFont->m_SubstFlags & FXFONT_SUBST_MM) {
       pFont->AdjustMMParams(glyph_index, dest_width,
                             pFont->GetSubstFont()->m_Weight);
     }
   }
@@ skipping 242 matching lines @@
 };
 CFX_PathData* CFX_Font::LoadGlyphPath(uint32_t glyph_index, int dest_width) {
   if (!m_Face) {
     return NULL;
   }
   FXFT_Set_Pixel_Sizes(m_Face, 0, 64);
   FXFT_Matrix ft_matrix = {65536, 0, 0, 65536};
   if (m_pSubstFont) {
     if (m_pSubstFont->m_ItalicAngle) {
       int skew = m_pSubstFont->m_ItalicAngle;
-      // skew is nonpositive so -skew is used as the index.
-      skew = -skew <= static_cast<int>(ANGLESKEW_ARRAY_SIZE)
-                 ? -58
-                 : -g_AngleSkew[-skew];
+      // |skew| is nonpositive so |-skew| is used as the index. We need to make
+      // sure |skew| != INT_MIN since -INT_MIN is undefined.
+      if (skew <= 0 && skew != std::numeric_limits<int>::min() &&
+          static_cast<size_t>(-skew) < ANGLESKEW_ARRAY_SIZE) {
+        skew = -g_AngleSkew[-skew];
+      } else {
+        skew = -58;
+      }
       if (m_bVertical)
         ft_matrix.yx += ft_matrix.yy * skew / 100;
       else
         ft_matrix.xy += -ft_matrix.xx * skew / 100;
     }
     if (m_pSubstFont->m_SubstFlags & FXFONT_SUBST_MM) {
       AdjustMMParams(glyph_index, dest_width, m_pSubstFont->m_Weight);
     }
   }
   ScopedFontTransform scoped_transform(m_Face, &ft_matrix);
@@ skipping 47 matching lines @@
 void _CFX_UniqueKeyGen::Generate(int count, ...) {
   va_list argList;
   va_start(argList, count);
   for (int i = 0; i < count; i++) {
     int p = va_arg(argList, int);
     ((uint32_t*)m_Key)[i] = p;
   }
   va_end(argList);
   m_KeyLen = count * sizeof(uint32_t);
 }