core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp - Issue 322333002: Fix the potential integer overflow from "offset + size"

Side by Side Diff: core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

Issue 322333002: Fix the potential integer overflow from "offset + size" (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master

Patch Set: Created 6 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2014 PDFium Authors. All rights reserved.	1 // Copyright 2014 PDFium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com	5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com

6	6

7 #include "../../../include/fpdfapi/fpdf_parser.h"	7 #include "../../../include/fpdfapi/fpdf_parser.h"

8 #include "../../../include/fpdfapi/fpdf_module.h"	8 #include "../../../include/fpdfapi/fpdf_module.h"

9 #include "../../../include/fpdfapi/fpdf_page.h"	9 #include "../../../include/fpdfapi/fpdf_page.h"

10 #include "../../../../third_party/numerics/safe_math.h"	10 #include "../../../../third_party/numerics/safe_math.h"

(...skipping 2846 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2857 if (key != "Parent") {	2857 if (key != "Parent") {

2858 new_obj_array.Add(value);	2858 new_obj_array.Add(value);

2859 }	2859 }

2860 }	2860 }

2861 }	2861 }

2862 break;	2862 break;

2863 case PDFOBJ_REFERENCE: {	2863 case PDFOBJ_REFERENCE: {

2864 CPDF_Reference pRef = (CPDF_Reference)pObj;	2864 CPDF_Reference pRef = (CPDF_Reference)pObj;

2865 FX_DWORD dwNum = pRef->GetRefObjNum();	2865 FX_DWORD dwNum = pRef->GetRefObjNum();

2866 FX_FILESIZE offset;	2866 FX_FILESIZE offset;

2867 FX_DWORD size = GetObjectSize(pRef->GetRefObjNum(), offset);	2867 FX_DWORD original_size = GetObjectSize(dwNum, offset);

2868 if (!size) {	2868 base::CheckedNumeric<FX_DWORD> size = original_size;
	palmer 2014/07/23 17:58:36 I've already checked in this change (https://coder I've already checked in this change (https://codereview.chromium.org/390983007/). jun_fang 2014/07/24 07:14:39 Yes. I already merged your change into this fix by Show quoted text On 2014/07/23 17:58:36, Chromium Palmer wrote: > I've already checked in this change > (https://codereview.chromium.org/390983007/). Yes. I already merged your change into this fix by resolving the conflicting.
	2869

	2870 if (size.ValueOrDefault(0) == 0 \|\| offset < 0 \|\| offset >= m _dwFileLen)

2869 break;	2871 break;

2870 }	2872

2871 size = (FX_DWORD)((FX_FILESIZE)(offset + size + 512) > m_dwF ileLen ? m_dwFileLen - offset : size + 512);	2873 size += offset;

2872 if (!m_pFileAvail->IsDataAvail(offset, size)) {	2874 size += 512;

2873 pHints->AddSegment(offset, size);	2875 if (!size.IsValid())

	2876 break;

	2877

	2878 if (size.ValueOrDie() > m_dwFileLen)

	2879 size = m_dwFileLen - offset;

	2880 else

	2881 size = original_size + 512;

	2882

	2883 if (!size.IsValid())

	2884 break;

	2885

	2886 if (!m_pFileAvail->IsDataAvail(offset, size.ValueOrDie())) {

	2887 pHints->AddSegment(offset, size.ValueOrDie());

2874 ret_array.Add(pObj);	2888 ret_array.Add(pObj);

2875 count++;	2889 count++;

2876 } else if (!m_objnum_array.Find(dwNum)) {	2890 } else if (!m_objnum_array.Find(dwNum)) {

2877 m_objnum_array.AddObjNum(dwNum);	2891 m_objnum_array.AddObjNum(dwNum);

2878 CPDF_Object *pReferred = m_pDocument->GetIndirectObject( pRef->GetRefObjNum(), NULL);	2892 CPDF_Object *pReferred = m_pDocument->GetIndirectObject( pRef->GetRefObjNum(), NULL);

2879 if (pReferred) {	2893 if (pReferred) {

2880 new_obj_array.Add(pReferred);	2894 new_obj_array.Add(pReferred);

2881 }	2895 }

2882 }	2896 }

2883 }	2897 }

(...skipping 179 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
3063 CPDF_Object *pRet = NULL;	3077 CPDF_Object *pRet = NULL;

3064 if (pExistInFile) {	3078 if (pExistInFile) {

3065 *pExistInFile = TRUE;	3079 *pExistInFile = TRUE;

3066 }	3080 }

3067 if (m_pDocument == NULL) {	3081 if (m_pDocument == NULL) {

3068 FX_FILESIZE offset = m_parser.GetObjectOffset(objnum);	3082 FX_FILESIZE offset = m_parser.GetObjectOffset(objnum);

3069 if (offset < 0) {	3083 if (offset < 0) {

3070 *pExistInFile = FALSE;	3084 *pExistInFile = FALSE;

3071 return NULL;	3085 return NULL;

3072 }	3086 }

3073 FX_DWORD size = (FX_DWORD)m_parser.GetObjectSize(objnum);	3087

3074 size = (FX_DWORD)(((FX_FILESIZE)(offset + size + 512)) > m_dwFileLen ? m _dwFileLen - offset : size + 512);	3088 FX_DWORD original_size = (FX_DWORD)m_parser.GetObjectSize(objnum);

3075 if (!m_pFileAvail->IsDataAvail(offset, size)) {	3089 base::CheckedNumeric<FX_DWORD> size = original_size;

3076 pHints->AddSegment(offset, size);	3090 if (size.ValueOrDefault(0) == 0 \|\| offset < 0 \|\| offset >= m_dwFileLen)

	3091 return NULL;

	3092

	3093 size += offset;

	3094 size += 512;

	3095 if (!size.IsValid())

	3096 return NULL;

	3097

	3098 if (size.ValueOrDie() > m_dwFileLen)

	3099 size = m_dwFileLen - offset;

	3100 else

	3101 size = original_size + 512;

	3102

	3103 if (!size.IsValid())

	3104 return NULL;

	3105

	3106 if (!m_pFileAvail->IsDataAvail(offset, size.ValueOrDie())) {

	3107 pHints->AddSegment(offset, size.ValueOrDie());

3077 return NULL;	3108 return NULL;

3078 }	3109 }

3079 pRet = m_parser.ParseIndirectObject(NULL, objnum);	3110 pRet = m_parser.ParseIndirectObject(NULL, objnum);

3080 if (!pRet && pExistInFile) {	3111 if (!pRet && pExistInFile) {

3081 *pExistInFile = FALSE;	3112 *pExistInFile = FALSE;

3082 }	3113 }

3083 return pRet;	3114 return pRet;

3084 }	3115 }

3085 FX_FILESIZE offset = 0;	3116 FX_FILESIZE offset = 0;

3086 FX_DWORD size = GetObjectSize(objnum, offset);	3117 FX_DWORD original_size = GetObjectSize(objnum, offset);

3087 size = (FX_DWORD)((FX_FILESIZE)(offset + size + 512) > m_dwFileLen ? m_dwFil eLen - offset : size + 512);	3118 base::CheckedNumeric<FX_DWORD> size = original_size;
	palmer 2014/07/23 17:58:36 So, this same basic chunk is now repeated 3 times. So, this same basic chunk is now repeated 3 times. It's time to separate it out into its own utility function, if that's possible. jun_fang 2014/07/24 07:14:39 I will reconstruct this function to remove the red Show quoted text On 2014/07/23 17:58:36, Chromium Palmer wrote: > So, this same basic chunk is now repeated 3 times. It's time to separate it out > into its own utility function, if that's possible. I will reconstruct this function to remove the redundant parts.
3088 if (!m_pFileAvail->IsDataAvail(offset, size)) {	3119 if (size.ValueOrDefault(0) == 0 \|\| offset < 0 \|\| offset >= m_dwFileLen)

3089 pHints->AddSegment(offset, size);	3120 return NULL;

	3121

	3122 size += offset;

	3123 size += 512;

	3124 if (!size.IsValid())

	3125 return NULL;

	3126

	3127 if (size.ValueOrDie() > m_dwFileLen)

	3128 size = m_dwFileLen - offset;

	3129 else

	3130 size = original_size + 512;

	3131

	3132 if (!size.IsValid())

	3133 return NULL;

	3134

	3135 if (!m_pFileAvail->IsDataAvail(offset, size.ValueOrDie())) {

	3136 pHints->AddSegment(offset, size.ValueOrDie());

3090 return NULL;	3137 return NULL;

3091 }	3138 }

3092 CPDF_Parser pParser = (CPDF_Parser )(m_pDocument->GetParser());	3139 CPDF_Parser pParser = (CPDF_Parser )(m_pDocument->GetParser());

3093 pRet = pParser->ParseIndirectObject(NULL, objnum, NULL);	3140 pRet = pParser->ParseIndirectObject(NULL, objnum, NULL);

3094 if (!pRet && pExistInFile) {	3141 if (!pRet && pExistInFile) {

3095 *pExistInFile = FALSE;	3142 *pExistInFile = FALSE;

3096 }	3143 }

3097 return pRet;	3144 return pRet;

3098 }	3145 }

3099 FX_BOOL CPDF_DataAvail::CheckInfo(IFX_DownloadHints* pHints)	3146 FX_BOOL CPDF_DataAvail::CheckInfo(IFX_DownloadHints* pHints)

(...skipping 1284 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
4384 {	4431 {

4385 FX_INT32 iSize = m_childNode.GetSize();	4432 FX_INT32 iSize = m_childNode.GetSize();

4386 for (FX_INT32 i = 0; i < iSize; ++i) {	4433 for (FX_INT32 i = 0; i < iSize; ++i) {

4387 CPDF_PageNode pNode = (CPDF_PageNode)m_childNode[i];	4434 CPDF_PageNode pNode = (CPDF_PageNode)m_childNode[i];

4388 if (pNode) {	4435 if (pNode) {

4389 delete pNode;	4436 delete pNode;

4390 }	4437 }

4391 }	4438 }

4392 m_childNode.RemoveAll();	4439 m_childNode.RemoveAll();

4393 }	4440 }

OLD	NEW

« no previous file with comments | « no previous file | core/src/fxcrt/extension.h » ('j') | core/src/fxcrt/extension.h » ('J')