|
|
Chromium Code Reviews
DescriptionHandle another integer overflow in ReadPageHintTable().
Return false instead of crashing.
BUG=641882
Committed: https://pdfium.googlesource.com/pdfium/+/8d3ca14840a027c3dd1e2c943795d057dbb91454
Patch Set 1 #Patch Set 2 : FALSE-false #
Total comments: 4
Patch Set 3 : rebase #Messages
Total messages: 26 (18 generated)
The CQ bit was checked by thestig@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Patchset #1 (id:1) has been deleted
The CQ bit was checked by thestig@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was checked by thestig@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
thestig@chromium.org changed reviewers: + ochang@chromium.org, tsepez@chromium.org
dsinclair@chromium.org changed reviewers: + dsinclair@chromium.org
lgtm
LGTM w/question and nit. https://codereview.chromium.org/2300903002/diff/40001/core/fpdfapi/fpdf_parse... File core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp (right): https://codereview.chromium.org/2300903002/diff/40001/core/fpdfapi/fpdf_parse... core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp:54: int nStreamOffset = ReadPrimaryHintStreamOffset(); nit: can these two be int32_t's since presumably the data is coming from 4 bytes in a stream somewhere? https://codereview.chromium.org/2300903002/diff/40001/core/fpdfapi/fpdf_parse... core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp:60: !pdfium::base::IsValueInRangeForNumericType<FX_FILESIZE>(nStreamLen)) { Ok, but I thought FX_FILESIZE was signed so we could return -1 as an error code ... did you have a situation where this could trip?
lgtm, so the symbolization was completely off?
On 2016/09/01 16:08:22, Oliver Chang wrote: > lgtm, so the symbolization was completely off? It got to the right function. We are just off by ~120 lines.
The CQ bit was checked by thestig@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
https://codereview.chromium.org/2300903002/diff/40001/core/fpdfapi/fpdf_parse... File core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp (right): https://codereview.chromium.org/2300903002/diff/40001/core/fpdfapi/fpdf_parse... core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp:54: int nStreamOffset = ReadPrimaryHintStreamOffset(); On 2016/09/01 16:08:04, Tom Sepez wrote: > nit: can these two be int32_t's since presumably the data is coming from 4 bytes > in a stream somewhere? No, they are from CPDF_Number::GetInteger() and not 4 byte entry in the header. https://codereview.chromium.org/2300903002/diff/40001/core/fpdfapi/fpdf_parse... core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp:60: !pdfium::base::IsValueInRangeForNumericType<FX_FILESIZE>(nStreamLen)) { On 2016/09/01 16:08:04, Tom Sepez wrote: > Ok, but I thought FX_FILESIZE was signed so we could return -1 as an error code > ... did you have a situation where this could trip? It may not be obvious if an int fits inside a FX_FILESIZE. As is FX_FILESIZE can either be int32_t or off_t, so this probably won't trip. If it does ever trip, I'd like it to trip here early and return false, rather than trip with a checked_cast on line 76.
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
The CQ bit was checked by thestig@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from tsepez@chromium.org, ochang@chromium.org, dsinclair@chromium.org Link to the patchset: https://codereview.chromium.org/2300903002/#ps60001 (title: "rebase")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Message was sent while issue was closed.
Description was changed from ========== Handle another integer overflow in ReadPageHintTable(). Return false instead of crashing. BUG=641882 ========== to ========== Handle another integer overflow in ReadPageHintTable(). Return false instead of crashing. BUG=641882 Committed: https://pdfium.googlesource.com/pdfium/+/8d3ca14840a027c3dd1e2c943795d057dbb9... ==========
Message was sent while issue was closed.
Committed patchset #3 (id:60001) as https://pdfium.googlesource.com/pdfium/+/8d3ca14840a027c3dd1e2c943795d057dbb9... |
