Fix integer issues leading to out of bounds access in fx_ge_text.cpp.

core/fxge/ge/fx_ge_text.cpp

 // Copyright 2014 PDFium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
+#include <limits>
+
 #include "core/fxcodec/include/fx_codec.h"
 #include "core/fxge/ge/fx_text_int.h"
 #include "core/fxge/include/fx_freetype.h"
 #include "core/fxge/include/fx_ge.h"
 
 #ifdef _SKIA_SUPPORT_
 #include "third_party/skia/include/core/SkStream.h"
 #include "third_party/skia/include/core/SkTypeface.h"
 #endif
 
@@ skipping 1544 matching lines @@
   if (pSubstFont) {
     bUseCJKSubFont = pSubstFont->m_bSubstOfCJK && bFontStyle;
     int skew = 0;
     if (bUseCJKSubFont) {
       skew = pSubstFont->m_bItlicCJK ? -15 : 0;
     } else {
       skew = pSubstFont->m_ItalicAngle;
     }
     if (skew) {
       // skew is nonpositive so -skew is used as the index.
-      skew = -skew <= static_cast<int>(ANGLESKEW_ARRAY_SIZE)
-                 ? -58
-                 : -g_AngleSkew[-skew];
+      if (skew < 0 && skew != std::numeric_limits<int>::min() &&
+          static_cast<size_t>(-skew) < ANGLESKEW_ARRAY_SIZE) {

[Wei Li, 2016/04/11 16:40:37]

/skew < 0/skew <= 0/

Also, casting to size_t makes -INT_MIN a very large unsigned value, so the
comparison with min() is not needed. In fact, even "skew<=0" could be skipped
too.

[Oliver Chang, 2016/04/11 16:51:42]

Done. 
The issue is that -INT_MIN is undefined, and I want to avoid invoking undefined
behaviour. It seems fine to me to keep the <= 0 check though to be on the safe
side, as it should be a pretty cheap check?

+        skew = -g_AngleSkew[-skew];
+      } else {
+        skew = -58;
+      }
       if (pFont->IsVertical())
         ft_matrix.yx += ft_matrix.yy * skew / 100;
       else
         ft_matrix.xy += -ft_matrix.xx * skew / 100;
     }
     if (pSubstFont->m_SubstFlags & FXFONT_SUBST_MM) {
       pFont->AdjustMMParams(glyph_index, dest_width,
                             pFont->GetSubstFont()->m_Weight);
     }
   }
@@ skipping 243 matching lines @@
 CFX_PathData* CFX_Font::LoadGlyphPath(uint32_t glyph_index, int dest_width) {
   if (!m_Face) {
     return NULL;
   }
   FXFT_Set_Pixel_Sizes(m_Face, 0, 64);
   FXFT_Matrix ft_matrix = {65536, 0, 0, 65536};
   if (m_pSubstFont) {
     if (m_pSubstFont->m_ItalicAngle) {
       int skew = m_pSubstFont->m_ItalicAngle;
       // skew is nonpositive so -skew is used as the index.
-      skew = -skew <= static_cast<int>(ANGLESKEW_ARRAY_SIZE)
-                 ? -58
-                 : -g_AngleSkew[-skew];
+      if (skew < 0 && skew != std::numeric_limits<int>::min() &&

[Wei Li, 2016/04/11 17:00:47]

skew <= 0 here too.

Since you are here, can you pls change the comments in both places as well?
"skew should be non-positive so -skew can be used as the index. Also skew should
not be INT_MIN to avoid integer overflow." or sth like this. Thanks.

[Oliver Chang, 2016/04/11 17:06:47]

Already made this <= 0 too. Added the comment

+          static_cast<size_t>(-skew) < ANGLESKEW_ARRAY_SIZE) {
+        skew = -g_AngleSkew[-skew];
+      } else {
+        skew = -58;
+      }
       if (m_bVertical)
         ft_matrix.yx += ft_matrix.yy * skew / 100;
       else
         ft_matrix.xy += -ft_matrix.xx * skew / 100;
     }
     if (m_pSubstFont->m_SubstFlags & FXFONT_SUBST_MM) {
       AdjustMMParams(glyph_index, dest_width, m_pSubstFont->m_Weight);
     }
   }
   ScopedFontTransform scoped_transform(m_Face, &ft_matrix);
@@ skipping 47 matching lines @@
 void _CFX_UniqueKeyGen::Generate(int count, ...) {
   va_list argList;
   va_start(argList, count);
   for (int i = 0; i < count; i++) {
     int p = va_arg(argList, int);
     ((uint32_t*)m_Key)[i] = p;
   }
   va_end(argList);
   m_KeyLen = count * sizeof(uint32_t);
 }