Avoid an integer overflow in CFX_RTFBreak.
The root cause is an extremely large reserve count. Limit it to the size
of the widget.
BUG=chromium:875282
Change-Id: Ia3bbb07503ce349adc2662731d22317bda7df4ef
Reviewed-on: https://pdfium-review.googlesource.com/40652
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/xfa/fxfa/cxfa_fffield.cpp b/xfa/fxfa/cxfa_fffield.cpp
index 7fba699..ff28e57 100644
--- a/xfa/fxfa/cxfa_fffield.cpp
+++ b/xfa/fxfa/cxfa_fffield.cpp
@@ -6,6 +6,8 @@
#include "xfa/fxfa/cxfa_fffield.h"
+#include <algorithm>
+
#include "xfa/fwl/cfwl_edit.h"
#include "xfa/fwl/cfwl_eventmouse.h"
#include "xfa/fwl/cfwl_messagekey.h"
@@ -195,6 +197,12 @@
m_rtCaption.Reset();
} else {
fCapReserve = caption->GetReserve();
+ if (iCapPlacement == XFA_AttributeEnum::Top ||
+ iCapPlacement == XFA_AttributeEnum::Bottom) {
+ fCapReserve = std::min(fCapReserve, rtWidget.height);
+ } else {
+ fCapReserve = std::min(fCapReserve, rtWidget.width);
+ }
CXFA_ContentLayoutItem* pItem = this;
if (!pItem->GetPrev() && !pItem->GetNext()) {
m_rtCaption = rtWidget;