Use safe arithmentic in CFX_BinaryBuf::ExpandBuf.

core/src/fxcrt/fx_basic_buffer.cpp

 // Copyright 2014 PDFium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
 #include <algorithm>
+#include <limits>
 
 #include "core/include/fxcrt/fx_basic.h"
+#include "core/include/fxcrt/fx_safe_types.h"
 
-FX_STRSIZE FX_ftoa(FX_FLOAT f, FX_CHAR* buf);
 CFX_BinaryBuf::CFX_BinaryBuf()
-    : m_AllocStep(0), m_pBuffer(NULL), m_DataSize(0), m_AllocSize(0) {}
+    : m_AllocStep(0), m_AllocSize(0), m_DataSize(0) {}
+
 CFX_BinaryBuf::CFX_BinaryBuf(FX_STRSIZE size)
-    : m_AllocStep(0), m_DataSize(size), m_AllocSize(size) {
-  m_pBuffer = FX_Alloc(uint8_t, size);
+    : m_AllocStep(0), m_AllocSize(size), m_DataSize(size) {
+  m_pBuffer.reset(FX_Alloc(uint8_t, size));
 }
-CFX_BinaryBuf::~CFX_BinaryBuf() {
-  FX_Free(m_pBuffer);
-}
+
 void CFX_BinaryBuf::Delete(int start_index, int count) {
-  if (!m_pBuffer || start_index < 0 || start_index + count > m_DataSize) {
+  if (!m_pBuffer || start_index < 0 || count < 0 || count > m_DataSize ||
+      start_index > m_DataSize - count) {
     return;
   }
-  FXSYS_memmove(m_pBuffer + start_index, m_pBuffer + start_index + count,
+  FXSYS_memmove(m_pBuffer.get() + start_index,
+                m_pBuffer.get() + start_index + count,
                 m_DataSize - start_index - count);
   m_DataSize -= count;
 }
+
 void CFX_BinaryBuf::Clear() {
   m_DataSize = 0;
 }
-void CFX_BinaryBuf::DetachBuffer() {
+
+uint8_t* CFX_BinaryBuf::DetachBuffer() {
   m_DataSize = 0;
-  m_pBuffer = NULL;
   m_AllocSize = 0;
+  return m_pBuffer.release();
 }
-void CFX_BinaryBuf::AttachData(void* buffer, FX_STRSIZE size) {
-  FX_Free(m_pBuffer);
+
+void CFX_BinaryBuf::AttachData(uint8_t* buffer, FX_STRSIZE size) {
+  m_pBuffer.reset(buffer);
   m_DataSize = size;
-  m_pBuffer = (uint8_t*)buffer;
   m_AllocSize = size;
 }
-void CFX_BinaryBuf::TakeOver(CFX_BinaryBuf& other) {
-  AttachData(other.GetBuffer(), other.GetSize());
-  other.DetachBuffer();
-}
+
 void CFX_BinaryBuf::EstimateSize(FX_STRSIZE size, FX_STRSIZE step) {
   m_AllocStep = step;
-  if (m_AllocSize >= size) {
+  if (m_AllocSize < size)
+    ExpandBuf(size - m_DataSize);
+}
+
+void CFX_BinaryBuf::ExpandBuf(FX_STRSIZE add_size) {
+  FX_SAFE_STRSIZE new_size = m_DataSize;
+  new_size += add_size;
+  if (m_AllocSize >= new_size.ValueOrDie())
     return;
-  }
-  ExpandBuf(size - m_DataSize);
+
+  int alloc_step = std::min(128, m_AllocStep ? m_AllocStep : m_AllocSize / 4);
+  new_size += alloc_step - 1;  // Quantize, don't combine these lines.
+  new_size /= alloc_step;
+  new_size *= alloc_step;
+  m_AllocSize = new_size.ValueOrDie();
+  m_pBuffer.reset(m_pBuffer
+                      ? FX_Realloc(uint8_t, m_pBuffer.release(), m_AllocSize)
+                      : FX_Alloc(uint8_t, m_AllocSize));
 }
-void CFX_BinaryBuf::ExpandBuf(FX_STRSIZE add_size) {
-  FX_STRSIZE new_size = add_size + m_DataSize;
-  if (m_AllocSize >= new_size) {
+
+void CFX_BinaryBuf::AppendBlock(const void* pBuf, FX_STRSIZE size) {
+  if (size <= 0)
     return;
-  }
-  int alloc_step;
-  if (m_AllocStep == 0) {
-    alloc_step = m_AllocSize / 4;
-    if (alloc_step < 128) {
-      alloc_step = 128;
-    }
+
+  ExpandBuf(size);
+  if (pBuf) {
+    FXSYS_memcpy(m_pBuffer.get() + m_DataSize, pBuf, size);
   } else {
-    alloc_step = m_AllocStep;
-  }
-  new_size = (new_size + alloc_step - 1) / alloc_step * alloc_step;
-  uint8_t* pNewBuffer = m_pBuffer;
-  if (pNewBuffer) {
-    pNewBuffer = FX_Realloc(uint8_t, m_pBuffer, new_size);
-  } else {
-    pNewBuffer = FX_Alloc(uint8_t, new_size);
-  }
-  m_pBuffer = pNewBuffer;
-  m_AllocSize = new_size;
-}
-void CFX_BinaryBuf::CopyData(const void* pStr, FX_STRSIZE size) {
-  if (size == 0) {
-    m_DataSize = 0;
-    return;
-  }
-  if (m_AllocSize < size) {
-    ExpandBuf(size - m_DataSize);
-  }
-  if (!m_pBuffer) {
-    return;
-  }
-  FXSYS_memcpy(m_pBuffer, pStr, size);
-  m_DataSize = size;
-}
-void CFX_BinaryBuf::AppendBlock(const void* pBuf, FX_STRSIZE size) {
-  ExpandBuf(size);
-  if (pBuf && m_pBuffer) {
-    FXSYS_memcpy(m_pBuffer + m_DataSize, pBuf, size);
+    FXSYS_memset(m_pBuffer.get() + m_DataSize, 0, size);
   }
   m_DataSize += size;
 }
+
 void CFX_BinaryBuf::InsertBlock(FX_STRSIZE pos,
                                 const void* pBuf,
                                 FX_STRSIZE size) {
+  if (size <= 0)
+    return;
+
   ExpandBuf(size);
-  if (!m_pBuffer) {
-    return;
-  }
-  FXSYS_memmove(m_pBuffer + pos + size, m_pBuffer + pos, m_DataSize - pos);
+  FXSYS_memmove(m_pBuffer.get() + pos + size, m_pBuffer.get() + pos,
+                m_DataSize - pos);
   if (pBuf) {
-    FXSYS_memcpy(m_pBuffer + pos, pBuf, size);
+    FXSYS_memcpy(m_pBuffer.get() + pos, pBuf, size);
+  } else {
+    FXSYS_memset(m_pBuffer.get() + pos, 0, size);
   }
   m_DataSize += size;
 }
-void CFX_BinaryBuf::AppendFill(uint8_t byte, FX_STRSIZE count) {
-  ExpandBuf(count);
-  if (!m_pBuffer) {
-    return;
-  }
-  FXSYS_memset(m_pBuffer + m_DataSize, byte, count);
-  m_DataSize += count;
+
+CFX_ByteStringC CFX_ByteTextBuf::GetByteString() const {
+  return CFX_ByteStringC(m_pBuffer.get(), m_DataSize);
 }
-CFX_ByteStringC CFX_BinaryBuf::GetByteString() const {
-  return CFX_ByteStringC(m_pBuffer, m_DataSize);
-}
+
 CFX_ByteTextBuf& CFX_ByteTextBuf::operator<<(const CFX_ByteStringC& lpsz) {
   AppendBlock(lpsz.GetPtr(), lpsz.GetLength());
   return *this;
 }
+
 CFX_ByteTextBuf& CFX_ByteTextBuf::operator<<(int i) {
   char buf[32];
   FXSYS_itoa(i, buf, 10);
   AppendBlock(buf, FXSYS_strlen(buf));
   return *this;
 }
+
 CFX_ByteTextBuf& CFX_ByteTextBuf::operator<<(FX_DWORD i) {
   char buf[32];
   FXSYS_itoa(i, buf, 10);
   AppendBlock(buf, FXSYS_strlen(buf));
   return *this;
 }
+
 CFX_ByteTextBuf& CFX_ByteTextBuf::operator<<(double f) {
   char buf[32];
   FX_STRSIZE len = FX_ftoa((FX_FLOAT)f, buf);
   AppendBlock(buf, len);
   return *this;
 }
+
 CFX_ByteTextBuf& CFX_ByteTextBuf::operator<<(const CFX_ByteTextBuf& buf) {
-  AppendBlock(buf.m_pBuffer, buf.m_DataSize);
+  AppendBlock(buf.m_pBuffer.get(), buf.m_DataSize);
   return *this;
 }
-void CFX_ByteTextBuf::operator=(const CFX_ByteStringC& str) {
-  CopyData(str.GetPtr(), str.GetLength());
-}
+
 void CFX_WideTextBuf::AppendChar(FX_WCHAR ch) {
-  if (m_AllocSize < m_DataSize + (FX_STRSIZE)sizeof(FX_WCHAR)) {
-    ExpandBuf(sizeof(FX_WCHAR));
-  }
-  ASSERT(m_pBuffer);
-  *(FX_WCHAR*)(m_pBuffer + m_DataSize) = ch;
+  ExpandBuf(sizeof(FX_WCHAR));
+  *(FX_WCHAR*)(m_pBuffer.get() + m_DataSize) = ch;
   m_DataSize += sizeof(FX_WCHAR);
 }
+
 CFX_WideTextBuf& CFX_WideTextBuf::operator<<(const CFX_WideStringC& str) {
   AppendBlock(str.GetPtr(), str.GetLength() * sizeof(FX_WCHAR));
   return *this;
 }
+
 CFX_WideTextBuf& CFX_WideTextBuf::operator<<(const CFX_WideString& str) {
   AppendBlock(str.c_str(), str.GetLength() * sizeof(FX_WCHAR));
   return *this;
 }
+
 CFX_WideTextBuf& CFX_WideTextBuf::operator<<(int i) {
   char buf[32];
   FXSYS_itoa(i, buf, 10);
   FX_STRSIZE len = FXSYS_strlen(buf);
-  if (m_AllocSize < m_DataSize + (FX_STRSIZE)(len * sizeof(FX_WCHAR))) {
-    ExpandBuf(len * sizeof(FX_WCHAR));
-  }
-  ASSERT(m_pBuffer);
-  FX_WCHAR* str = (FX_WCHAR*)(m_pBuffer + m_DataSize);
+  ExpandBuf(len * sizeof(FX_WCHAR));
+  FX_WCHAR* str = (FX_WCHAR*)(m_pBuffer.get() + m_DataSize);
   for (FX_STRSIZE j = 0; j < len; j++) {
     *str++ = buf[j];
   }
   m_DataSize += len * sizeof(FX_WCHAR);
   return *this;
 }
+
 CFX_WideTextBuf& CFX_WideTextBuf::operator<<(double f) {
   char buf[32];
   FX_STRSIZE len = FX_ftoa((FX_FLOAT)f, buf);
-  if (m_AllocSize < m_DataSize + (FX_STRSIZE)(len * sizeof(FX_WCHAR))) {
-    ExpandBuf(len * sizeof(FX_WCHAR));
-  }
-  ASSERT(m_pBuffer);
-  FX_WCHAR* str = (FX_WCHAR*)(m_pBuffer + m_DataSize);
+  ExpandBuf(len * sizeof(FX_WCHAR));
+  FX_WCHAR* str = (FX_WCHAR*)(m_pBuffer.get() + m_DataSize);
   for (FX_STRSIZE i = 0; i < len; i++) {
     *str++ = buf[i];
   }
   m_DataSize += len * sizeof(FX_WCHAR);
   return *this;
 }
+
 CFX_WideTextBuf& CFX_WideTextBuf::operator<<(const FX_WCHAR* lpsz) {
   AppendBlock(lpsz, FXSYS_wcslen(lpsz) * sizeof(FX_WCHAR));
   return *this;
 }
+
 CFX_WideTextBuf& CFX_WideTextBuf::operator<<(const CFX_WideTextBuf& buf) {
-  AppendBlock(buf.m_pBuffer, buf.m_DataSize);
+  AppendBlock(buf.m_pBuffer.get(), buf.m_DataSize);
   return *this;
 }
-void CFX_WideTextBuf::operator=(const CFX_WideStringC& str) {
-  CopyData(str.GetPtr(), str.GetLength() * sizeof(FX_WCHAR));
-}
+
 CFX_WideStringC CFX_WideTextBuf::GetWideString() const {
-  return CFX_WideStringC((const FX_WCHAR*)m_pBuffer,
+  return CFX_WideStringC((const FX_WCHAR*)m_pBuffer.get(),
                          m_DataSize / sizeof(FX_WCHAR));
 }
 
 #ifdef PDF_ENABLE_XFA
 CFX_ArchiveSaver& CFX_ArchiveSaver::operator<<(uint8_t i) {
   if (m_pStream) {
     m_pStream->WriteBlock(&i, 1);
   } else {
     m_SavingBuf.AppendByte(i);
   }
@@ skipping 234 matching lines @@
 }
 FX_BOOL CFX_FileBufferArchive::DoWork(const void* pBuf, size_t size) {
   if (!m_pFile) {
     return FALSE;
   }
   if (!pBuf || size < 1) {
     return TRUE;
   }
   return m_pFile->WriteBlock(pBuf, size);
 }