Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2322903002:
Strengthen bounds check in CWeightTable::Calc. (Closed)
DescriptionStrengthen bounds check in CWeightTable::Calc.
The buffer PixelWeight.m_Weights was allocated by calling FX_TryAlloc(uint8_t, m_dwWeightTablesSize),
but PixelWeight.m_Weights was an int array. Thus bounds check such as |if (idx >= m_dwWeightTablesSize)|
in function CWeightTable::Calc() and |idx < m_dwWeightTablesSize ? &pWeight->m_Weights[idx] : nullptr|
in function CWeightTable::GetValueFromPixelWeight() were insufficient.
This CL strengthens bounds check for accessing int type array PixelWeight.m_Weights.
BUG=chromium:619398
R=ochang@chromium.org, thestig@chromium.org
Committed: https://pdfium.googlesource.com/pdfium/+/5aed0216ad6574944e76a95ef0dbbc910bab4a1a
Patch Set 1 #
Total comments: 1
Patch Set 2 : Add helper method #
Messages
Total messages: 24 (17 generated)
Description was changed from ========== Strengthen bounds check in CWeightTable::Calc. The buffer PixelWeight.m_Weights was allocated by calling FX_TryAlloc(uint8_t, m_dwWeightTablesSize), but PixelWeight.m_Weights was an int array. Thus bounds check such as |if (idx >= m_dwWeightTablesSize)| in function CWeightTable::Calc() and |idx < m_dwWeightTablesSize ? &pWeight->m_Weights[idx] : nullptr| in function CWeightTable::GetValueFromPixelWeight() were insufficient. This CL strengthens bounds check for accessing int array PixelWeight.m_Weights. BUG=chromium:619398 R=ochang@chromium.org ========== to ========== Strengthen bounds check in CWeightTable::Calc. The buffer PixelWeight.m_Weights was allocated by calling FX_TryAlloc(uint8_t, m_dwWeightTablesSize), but PixelWeight.m_Weights was an int array. Thus bounds check such as |if (idx >= m_dwWeightTablesSize)| in function CWeightTable::Calc() and |idx < m_dwWeightTablesSize ? &pWeight->m_Weights[idx] : nullptr| in function CWeightTable::GetValueFromPixelWeight() were insufficient. This CL strengthens bounds check for accessing int array PixelWeight.m_Weights. BUG=chromium:619398 R=ochang@chromium.org ==========
stackexploit@gmail.com changed reviewers: + thestig@chromium.org
On 2016/09/08 07:09:57, Ke Liu wrote: Add thestig as a reviewer since he uploaded https://codereview.chromium.org/2204773003/
https://codereview.chromium.org/2322903002/diff/1/core/fxge/dib/fx_dib_engine... File core/fxge/dib/fx_dib_engine.cpp (right): https://codereview.chromium.org/2322903002/diff/1/core/fxge/dib/fx_dib_engine... core/fxge/dib/fx_dib_engine.cpp:66: m_dwWeightTablesSize /= sizeof(int); I think it's weird for a variable to have 2 different units. Maybe add a helper method to return m_dwWeightTablesSize / sizeof(int), and use that where appropriate.
The CQ bit was checked by thestig@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
The CQ bit was checked by stackexploit@gmail.com to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: No L-G-T-M from a valid reviewer yet. CQ run can only be started by full committers or once the patch has received an L-G-T-M from a full committer. Even if an L-G-T-M may have been provided, it was from a non-committer, _not_ a full super star committer. Committers are members of the group "project-pdfium-committers". Note that this has nothing to do with OWNERS files.
On 2016/09/23 21:32:01, Lei Zhang wrote: > https://codereview.chromium.org/2322903002/diff/1/core/fxge/dib/fx_dib_engine... > File core/fxge/dib/fx_dib_engine.cpp (right): > > https://codereview.chromium.org/2322903002/diff/1/core/fxge/dib/fx_dib_engine... > core/fxge/dib/fx_dib_engine.cpp:66: m_dwWeightTablesSize /= sizeof(int); > I think it's weird for a variable to have 2 different units. Maybe add a helper > method to return m_dwWeightTablesSize / sizeof(int), and use that where > appropriate. Thanks. I've added a method GetPixelWeightSize for CWeightTable now.
Description was changed from ========== Strengthen bounds check in CWeightTable::Calc. The buffer PixelWeight.m_Weights was allocated by calling FX_TryAlloc(uint8_t, m_dwWeightTablesSize), but PixelWeight.m_Weights was an int array. Thus bounds check such as |if (idx >= m_dwWeightTablesSize)| in function CWeightTable::Calc() and |idx < m_dwWeightTablesSize ? &pWeight->m_Weights[idx] : nullptr| in function CWeightTable::GetValueFromPixelWeight() were insufficient. This CL strengthens bounds check for accessing int array PixelWeight.m_Weights. BUG=chromium:619398 R=ochang@chromium.org ========== to ========== Strengthen bounds check in CWeightTable::Calc. The buffer PixelWeight.m_Weights was allocated by calling FX_TryAlloc(uint8_t, m_dwWeightTablesSize), but PixelWeight.m_Weights was an int array. Thus bounds check such as |if (idx >= m_dwWeightTablesSize)| in function CWeightTable::Calc() and |idx < m_dwWeightTablesSize ? &pWeight->m_Weights[idx] : nullptr| in function CWeightTable::GetValueFromPixelWeight() were insufficient. This CL strengthens bounds check for accessing int type array PixelWeight.m_Weights. BUG=chromium:619398 R=ochang@chromium.org, thestig@chromium.org ==========
The CQ bit was checked by thestig@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
The CQ bit was checked by thestig@chromium.org
lgtm
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Message was sent while issue was closed.
Description was changed from ========== Strengthen bounds check in CWeightTable::Calc. The buffer PixelWeight.m_Weights was allocated by calling FX_TryAlloc(uint8_t, m_dwWeightTablesSize), but PixelWeight.m_Weights was an int array. Thus bounds check such as |if (idx >= m_dwWeightTablesSize)| in function CWeightTable::Calc() and |idx < m_dwWeightTablesSize ? &pWeight->m_Weights[idx] : nullptr| in function CWeightTable::GetValueFromPixelWeight() were insufficient. This CL strengthens bounds check for accessing int type array PixelWeight.m_Weights. BUG=chromium:619398 R=ochang@chromium.org, thestig@chromium.org ========== to ========== Strengthen bounds check in CWeightTable::Calc. The buffer PixelWeight.m_Weights was allocated by calling FX_TryAlloc(uint8_t, m_dwWeightTablesSize), but PixelWeight.m_Weights was an int array. Thus bounds check such as |if (idx >= m_dwWeightTablesSize)| in function CWeightTable::Calc() and |idx < m_dwWeightTablesSize ? &pWeight->m_Weights[idx] : nullptr| in function CWeightTable::GetValueFromPixelWeight() were insufficient. This CL strengthens bounds check for accessing int type array PixelWeight.m_Weights. BUG=chromium:619398 R=ochang@chromium.org, thestig@chromium.org Committed: https://pdfium.googlesource.com/pdfium/+/5aed0216ad6574944e76a95ef0dbbc910bab... ==========
Message was sent while issue was closed.
Committed patchset #2 (id:20001) as https://pdfium.googlesource.com/pdfium/+/5aed0216ad6574944e76a95ef0dbbc910bab... |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
