Chromium Code Reviews Chromium Code Reviews
Issue 2268693003:
Fix more integer overflows inside ReadPageHintTable(). (Closed)
Base URL: https://pdfium.googlesource.com/pdfium@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 PDFium Authors. All rights reserved. | 1 // Copyright 2014 PDFium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com | 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <limits> | 8 #include <limits> |
| 9 | 9 |
| 10 #include "core/fxcrt/include/fx_basic.h" | 10 #include "core/fxcrt/include/fx_basic.h" |
| (...skipping 169 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 180 CFX_WideTextBuf& CFX_WideTextBuf::operator<<(const CFX_WideTextBuf& buf) { | 180 CFX_WideTextBuf& CFX_WideTextBuf::operator<<(const CFX_WideTextBuf& buf) { |
| 181 AppendBlock(buf.m_pBuffer.get(), buf.m_DataSize); | 181 AppendBlock(buf.m_pBuffer.get(), buf.m_DataSize); |
| 182 return *this; | 182 return *this; |
| 183 } | 183 } |
| 184 | 184 |
| 185 void CFX_BitStream::Init(const uint8_t* pData, uint32_t dwSize) { | 185 void CFX_BitStream::Init(const uint8_t* pData, uint32_t dwSize) { |
| 186 m_pData = pData; | 186 m_pData = pData; |
| 187 m_BitSize = dwSize * 8; | 187 m_BitSize = dwSize * 8; |
| 188 m_BitPos = 0; | 188 m_BitPos = 0; |
| 189 } | 189 } |
| 190 | |
| 190 void CFX_BitStream::ByteAlign() { | 191 void CFX_BitStream::ByteAlign() { |
| 191 int mod = m_BitPos % 8; | 192 int mod = m_BitPos % 8; |
|
Tom Sepez
2016/08/23 00:09:16
Is m_BitPos unsigned? It should be. Make |mod| m
Lei Zhang
2016/08/23 00:33:12
Uhh, wasn't looking that hard. Done.
| |
| 192 if (mod == 0) { | 193 if (mod) |
| 193 return; | 194 m_BitPos += 8 - mod; |
| 194 } | |
| 195 m_BitPos += 8 - mod; | |
| 196 } | 195 } |
| 196 | |
| 197 uint32_t CFX_BitStream::GetBits(uint32_t nBits) { | 197 uint32_t CFX_BitStream::GetBits(uint32_t nBits) { |
| 198 if (nBits > m_BitSize || m_BitPos + nBits > m_BitSize) { | 198 if (nBits > m_BitSize || m_BitPos + nBits > m_BitSize) |
| 199 return 0; | 199 return 0; |
| 200 } | 200 |
| 201 if (nBits == 1) { | 201 if (nBits == 1) { |
| 202 int bit = (m_pData[m_BitPos / 8] & (1 << (7 - m_BitPos % 8))) ? 1 : 0; | 202 int bit = (m_pData[m_BitPos / 8] & (1 << (7 - m_BitPos % 8))) ? 1 : 0; |
| 203 m_BitPos++; | 203 m_BitPos++; |
| 204 return bit; | 204 return bit; |
| 205 } | 205 } |
| 206 | |
| 206 uint32_t byte_pos = m_BitPos / 8; | 207 uint32_t byte_pos = m_BitPos / 8; |
| 207 uint32_t bit_pos = m_BitPos % 8, bit_left = nBits; | 208 uint32_t bit_pos = m_BitPos % 8; |
| 209 uint32_t bit_left = nBits; | |
| 208 uint32_t result = 0; | 210 uint32_t result = 0; |
| 209 if (bit_pos) { | 211 if (bit_pos) { |
| 210 if (8 - bit_pos >= bit_left) { | 212 if (8 - bit_pos >= bit_left) { |
| 211 result = | 213 result = |
| 212 (m_pData[byte_pos] & (0xff >> bit_pos)) >> (8 - bit_pos - bit_left); | 214 (m_pData[byte_pos] & (0xff >> bit_pos)) >> (8 - bit_pos - bit_left); |
| 213 m_BitPos += bit_left; | 215 m_BitPos += bit_left; |
| 214 return result; | 216 return result; |
| 215 } | 217 } |
| 216 bit_left -= 8 - bit_pos; | 218 bit_left -= 8 - bit_pos; |
| 217 result = (m_pData[byte_pos++] & ((1 << (8 - bit_pos)) - 1)) << bit_left; | 219 result = (m_pData[byte_pos++] & ((1 << (8 - bit_pos)) - 1)) << bit_left; |
| 218 } | 220 } |
| 219 while (bit_left >= 8) { | 221 while (bit_left >= 8) { |
| 220 bit_left -= 8; | 222 bit_left -= 8; |
| 221 result |= m_pData[byte_pos++] << bit_left; | 223 result |= m_pData[byte_pos++] << bit_left; |
| 222 } | 224 } |
| 223 if (bit_left) { | 225 if (bit_left) |
| 224 result |= m_pData[byte_pos] >> (8 - bit_left); | 226 result |= m_pData[byte_pos] >> (8 - bit_left); |
| 225 } | |
| 226 m_BitPos += nBits; | 227 m_BitPos += nBits; |
| 227 return result; | 228 return result; |
| 228 } | 229 } |
| 229 | 230 |
| 230 CFX_FileBufferArchive::CFX_FileBufferArchive() | 231 CFX_FileBufferArchive::CFX_FileBufferArchive() |
| 231 : m_Length(0), m_pFile(nullptr) {} | 232 : m_Length(0), m_pFile(nullptr) {} |
| 232 | 233 |
| 233 CFX_FileBufferArchive::~CFX_FileBufferArchive() {} | 234 CFX_FileBufferArchive::~CFX_FileBufferArchive() {} |
| 234 | 235 |
| 235 void CFX_FileBufferArchive::Clear() { | 236 void CFX_FileBufferArchive::Clear() { |
| 236 m_Length = 0; | 237 m_Length = 0; |
| 237 m_pBuffer.reset(); | 238 m_pBuffer.reset(); |
| 238 m_pFile = nullptr; | 239 m_pFile = nullptr; |
| 239 } | 240 } |
| 240 | 241 |
| 241 bool CFX_FileBufferArchive::Flush() { | 242 bool CFX_FileBufferArchive::Flush() { |
| 242 size_t nRemaining = m_Length; | 243 size_t nRemaining = m_Length; |
| 243 m_Length = 0; | 244 m_Length = 0; |
| 244 if (!m_pFile) | 245 if (!m_pFile) |
| 245 return false; | 246 return false; |
| 246 if (!m_pBuffer || !nRemaining) | 247 if (!m_pBuffer || !nRemaining) |
| 247 return true; | 248 return true; |
| 248 return m_pFile->WriteBlock(m_pBuffer.get(), nRemaining) > 0; | 249 return m_pFile->WriteBlock(m_pBuffer.get(), nRemaining) > 0; |
| 249 } | 250 } |
| 250 | 251 |
| 251 int32_t CFX_FileBufferArchive::AppendBlock(const void* pBuf, size_t size) { | 252 int32_t CFX_FileBufferArchive::AppendBlock(const void* pBuf, size_t size) { |
| 252 if (!pBuf || size < 1) { | 253 if (!pBuf || size < 1) |
| 253 return 0; | 254 return 0; |
| 254 } | 255 |
| 255 if (!m_pBuffer) { | 256 if (!m_pBuffer) |
| 256 m_pBuffer.reset(FX_Alloc(uint8_t, kBufSize)); | 257 m_pBuffer.reset(FX_Alloc(uint8_t, kBufSize)); |
| 257 } | 258 |
| 258 const uint8_t* buffer = reinterpret_cast<const uint8_t*>(pBuf); | 259 const uint8_t* buffer = reinterpret_cast<const uint8_t*>(pBuf); |
| 259 size_t temp_size = size; | 260 size_t temp_size = size; |
| 260 while (temp_size) { | 261 while (temp_size) { |
| 261 size_t buf_size = std::min(kBufSize - m_Length, temp_size); | 262 size_t buf_size = std::min(kBufSize - m_Length, temp_size); |
| 262 FXSYS_memcpy(m_pBuffer.get() + m_Length, buffer, buf_size); | 263 FXSYS_memcpy(m_pBuffer.get() + m_Length, buffer, buf_size); |
| 263 m_Length += buf_size; | 264 m_Length += buf_size; |
| 264 if (m_Length == kBufSize) { | 265 if (m_Length == kBufSize) { |
| 265 if (!Flush()) { | 266 if (!Flush()) { |
| 266 return -1; | 267 return -1; |
| 267 } | 268 } |
| (...skipping 15 matching lines...) Expand all Loading... | |
| 283 } | 284 } |
| 284 | 285 |
| 285 int32_t CFX_FileBufferArchive::AppendString(const CFX_ByteStringC& lpsz) { | 286 int32_t CFX_FileBufferArchive::AppendString(const CFX_ByteStringC& lpsz) { |
| 286 return AppendBlock(lpsz.raw_str(), lpsz.GetLength()); | 287 return AppendBlock(lpsz.raw_str(), lpsz.GetLength()); |
| 287 } | 288 } |
| 288 | 289 |
| 289 void CFX_FileBufferArchive::AttachFile(IFX_StreamWrite* pFile) { | 290 void CFX_FileBufferArchive::AttachFile(IFX_StreamWrite* pFile) { |
| 290 ASSERT(pFile); | 291 ASSERT(pFile); |
| 291 m_pFile = pFile; | 292 m_pFile = pFile; |
| 292 } | 293 } |
| OLD | NEW |
