Chromium Code Reviews Chromium Code Reviews
Issue 322333002:
Fix the potential integer overflow from "offset + size" (Closed)
Base URL: https://pdfium.googlesource.com/pdfium.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 PDFium Authors. All rights reserved. | 1 // Copyright 2014 PDFium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com | 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com |
| 6 | 6 |
| 7 #ifndef _FXCRT_EXTENSION_IMP_ | 7 #ifndef _FXCRT_EXTENSION_IMP_ |
| 8 #define _FXCRT_EXTENSION_IMP_ | 8 #define _FXCRT_EXTENSION_IMP_ |
| 9 | |
| 10 #include "../../../third_party/numerics/safe_math.h" | |
| 11 | |
| 9 class IFXCRT_FileAccess | 12 class IFXCRT_FileAccess |
| 10 { | 13 { |
| 11 public: | 14 public: |
| 12 virtual ~IFXCRT_FileAccess() {} | 15 virtual ~IFXCRT_FileAccess() {} |
| 13 virtual FX_BOOL Open(FX_BSTR fileName, FX_DWORD dwMode) = 0; | 16 virtual FX_BOOL Open(FX_BSTR fileName, FX_DWORD dwMode) = 0; |
| 14 virtual FX_BOOL Open(FX_WSTR fileName, FX_DWORD dwMode) = 0; | 17 virtual FX_BOOL Open(FX_WSTR fileName, FX_DWORD dwMode) = 0; |
| 15 virtual void Close() = 0; | 18 virtual void Close() = 0; |
| 16 virtual void Release() = 0; | 19 virtual void Release() = 0; |
| 17 virtual FX_FILESIZE GetSize() const = 0; | 20 virtual FX_FILESIZE GetSize() const = 0; |
| 18 virtual FX_FILESIZE GetPosition() const = 0; | 21 virtual FX_FILESIZE GetPosition() const = 0; |
| (...skipping 155 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 174 virtual FX_FILESIZE GetPosition() | 177 virtual FX_FILESIZE GetPosition() |
| 175 { | 178 { |
| 176 FX_FILESIZE pos = (FX_FILESIZE)m_nCurPos; | 179 FX_FILESIZE pos = (FX_FILESIZE)m_nCurPos; |
| 177 if (m_bUseRange) { | 180 if (m_bUseRange) { |
| 178 pos -= (FX_FILESIZE)m_nOffset; | 181 pos -= (FX_FILESIZE)m_nOffset; |
| 179 } | 182 } |
| 180 return pos; | 183 return pos; |
| 181 } | 184 } |
| 182 virtual FX_BOOL SetRange(FX_FILESIZE offset, FX_ FILESIZE size) | 185 virtual FX_BOOL SetRange(FX_FILESIZE offset, FX_ FILESIZE size) |
| 183 { | 186 { |
| 184 if (offset < 0 || (size_t)(offset + size) > m_nCurSize) { | 187 base::CheckedNumeric<FX_FILESIZE> range = size; |
| 188 range += size; | |
|
palmer
2014/07/23 17:58:36
BUG: The original code checked offset + size, but
jun_fang
2014/07/24 07:14:39
This issue was reported in the original bug.
| |
| 189 | |
| 190 if (!range.IsValid() || offset <= 0 || size <= 0 || range.ValueOrDie() > m_nCurSize) { | |
| 185 return FALSE; | 191 return FALSE; |
| 186 } | 192 } |
| 193 | |
| 187 m_nOffset = (size_t)offset, m_nSize = (size_t)size; | 194 m_nOffset = (size_t)offset, m_nSize = (size_t)size; |
| 188 m_bUseRange = TRUE; | 195 m_bUseRange = TRUE; |
| 189 m_nCurPos = m_nOffset; | 196 m_nCurPos = m_nOffset; |
| 190 return TRUE; | 197 return TRUE; |
| 191 } | 198 } |
| 192 virtual void ClearRange() | 199 virtual void ClearRange() |
| 193 { | 200 { |
| 194 m_bUseRange = FALSE; | 201 m_bUseRange = FALSE; |
| 195 } | 202 } |
| 196 virtual FX_BOOL ReadBlock(void* buffer, FX_FILES IZE offset, size_t size) | 203 virtual FX_BOOL ReadBlock(void* buffer, FX_FILES IZE offset, size_t size) |
| 197 { | 204 { |
| 198 if (!buffer || !size) { | 205 if (!buffer || !size) { |
| 199 return FALSE; | 206 return FALSE; |
| 200 } | 207 } |
| 208 | |
| 209 base::CheckedNumeric<FX_FILESIZE> safeOffset = offset; | |
| 201 if (m_bUseRange) { | 210 if (m_bUseRange) { |
| 202 offset += (FX_FILESIZE)m_nOffset; | 211 safeOffset += m_nOffset; |
| 203 } | 212 } |
| 204 if ((size_t)offset + size > m_nCurSize) { | 213 |
| 214 if (!safeOffset.IsValid()) | |
| 215 return FALSE; | |
| 216 | |
| 217 offset = safeOffset.ValueOrDie(); | |
| 218 | |
| 219 base::CheckedNumeric<size_t> newPos = size; | |
| 220 newPos += offset; | |
| 221 if (newPos.ValueOrDefault(0) == 0 || newPos.ValueOrDie() > m_nCurSize) { | |
|
palmer
2014/07/23 17:58:36
ValueOrDie will cause a program abort, and you'll
jun_fang
2014/07/24 07:14:39
Will update.
jschuh
2014/07/24 13:48:46
You can skip the !newPos.IsValid() check, because
| |
| 205 return FALSE; | 222 return FALSE; |
| 206 } | 223 } |
| 207 m_nCurPos = (size_t)offset + size; | 224 |
| 225 m_nCurPos = newPos.ValueOrDie(); | |
| 208 if (m_dwFlags & FX_MEMSTREAM_Consecutive) { | 226 if (m_dwFlags & FX_MEMSTREAM_Consecutive) { |
| 209 FXSYS_memcpy32(buffer, (FX_LPBYTE)m_Blocks[0] + (size_t)offset, size ); | 227 FXSYS_memcpy32(buffer, (FX_LPBYTE)m_Blocks[0] + (size_t)offset, size ); |
| 210 return TRUE; | 228 return TRUE; |
| 211 } | 229 } |
| 212 size_t nStartBlock = (size_t)offset / m_nGrowSize; | 230 size_t nStartBlock = (size_t)offset / m_nGrowSize; |
| 213 offset -= (FX_FILESIZE)(nStartBlock * m_nGrowSize); | 231 offset -= (FX_FILESIZE)(nStartBlock * m_nGrowSize); |
| 214 while (size) { | 232 while (size) { |
| 215 size_t nRead = m_nGrowSize - (size_t)offset; | 233 size_t nRead = m_nGrowSize - (size_t)offset; |
| 216 if (nRead > size) { | 234 if (nRead > size) { |
| 217 nRead = size; | 235 nRead = size; |
| (...skipping 25 matching lines...) Expand all Loading... | |
| 243 } | 261 } |
| 244 virtual FX_BOOL WriteBlock(const void* buffer, F X_FILESIZE offset, size_t size) | 262 virtual FX_BOOL WriteBlock(const void* buffer, F X_FILESIZE offset, size_t size) |
| 245 { | 263 { |
| 246 if (!buffer || !size) { | 264 if (!buffer || !size) { |
| 247 return FALSE; | 265 return FALSE; |
| 248 } | 266 } |
| 249 if (m_bUseRange) { | 267 if (m_bUseRange) { |
| 250 offset += (FX_FILESIZE)m_nOffset; | 268 offset += (FX_FILESIZE)m_nOffset; |
| 251 } | 269 } |
| 252 if (m_dwFlags & FX_MEMSTREAM_Consecutive) { | 270 if (m_dwFlags & FX_MEMSTREAM_Consecutive) { |
| 253 m_nCurPos = (size_t)offset + size; | 271 base::CheckedNumeric<size_t> newPos = size; |
| 272 newPos += offset; | |
| 273 if (!newPos.IsValid()) | |
| 274 return FALSE; | |
| 275 | |
| 276 m_nCurPos = newPos.ValueOrDie(); | |
| 254 if (m_nCurPos > m_nTotalSize) { | 277 if (m_nCurPos > m_nTotalSize) { |
| 255 m_nTotalSize = (m_nCurPos + m_nGrowSize - 1) / m_nGrowSize * m_n GrowSize; | 278 m_nTotalSize = (m_nCurPos + m_nGrowSize - 1) / m_nGrowSize * m_n GrowSize; |
| 256 if (m_Blocks.GetSize() < 1) { | 279 if (m_Blocks.GetSize() < 1) { |
| 257 void* block = FX_Alloc(FX_BYTE, m_nTotalSize); | 280 void* block = FX_Alloc(FX_BYTE, m_nTotalSize); |
| 258 m_Blocks.Add(block); | 281 m_Blocks.Add(block); |
| 259 } else { | 282 } else { |
| 260 m_Blocks[0] = FX_Realloc(FX_BYTE, m_Blocks[0], m_nTotalSize) ; | 283 m_Blocks[0] = FX_Realloc(FX_BYTE, m_Blocks[0], m_nTotalSize) ; |
| 261 } | 284 } |
| 262 if (!m_Blocks[0]) { | 285 if (!m_Blocks[0]) { |
| 263 m_Blocks.RemoveAll(); | 286 m_Blocks.RemoveAll(); |
| 264 return FALSE; | 287 return FALSE; |
| 265 } | 288 } |
| 266 } | 289 } |
| 267 FXSYS_memcpy32((FX_LPBYTE)m_Blocks[0] + (size_t)offset, buffer, size ); | 290 FXSYS_memcpy32((FX_LPBYTE)m_Blocks[0] + (size_t)offset, buffer, size ); |
| 268 if (m_nCurSize < m_nCurPos) { | 291 if (m_nCurSize < m_nCurPos) { |
| 269 m_nCurSize = m_nCurPos; | 292 m_nCurSize = m_nCurPos; |
| 270 } | 293 } |
| 271 return TRUE; | 294 return TRUE; |
| 272 } | 295 } |
| 273 if (!ExpandBlocks((size_t)offset + size)) { | 296 |
| 297 base::CheckedNumeric<size_t> newPos = size; | |
| 298 newPos += offset; | |
| 299 if (!newPos.IsValid()) | |
| 300 return FALSE; | |
| 301 | |
| 302 if (!ExpandBlocks(newPos.ValueOrDie())) { | |
| 274 return FALSE; | 303 return FALSE; |
| 275 } | 304 } |
| 276 m_nCurPos = (size_t)offset + size; | 305 m_nCurPos = newPos.ValueOrDie(); |
| 277 size_t nStartBlock = (size_t)offset / m_nGrowSize; | 306 size_t nStartBlock = (size_t)offset / m_nGrowSize; |
| 278 offset -= (FX_FILESIZE)(nStartBlock * m_nGrowSize); | 307 offset -= (FX_FILESIZE)(nStartBlock * m_nGrowSize); |
| 279 while (size) { | 308 while (size) { |
| 280 size_t nWrite = m_nGrowSize - (size_t)offset; | 309 size_t nWrite = m_nGrowSize - (size_t)offset; |
| 281 if (nWrite > size) { | 310 if (nWrite > size) { |
| 282 nWrite = size; | 311 nWrite = size; |
| 283 } | 312 } |
| 284 FXSYS_memcpy32((FX_LPBYTE)m_Blocks[(int)nStartBlock] + (size_t)offse t, buffer, nWrite); | 313 FXSYS_memcpy32((FX_LPBYTE)m_Blocks[(int)nStartBlock] + (size_t)offse t, buffer, nWrite); |
| 285 buffer = ((FX_LPBYTE)buffer) + nWrite; | 314 buffer = ((FX_LPBYTE)buffer) + nWrite; |
| 286 size -= nWrite; | 315 size -= nWrite; |
| (...skipping 102 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 389 FX_DWORD mt[MT_N]; | 418 FX_DWORD mt[MT_N]; |
| 390 } FX_MTRANDOMCONTEXT, * FX_LPMTRANDOMCONTEXT; | 419 } FX_MTRANDOMCONTEXT, * FX_LPMTRANDOMCONTEXT; |
| 391 typedef FX_MTRANDOMCONTEXT const * FX_LPCMTRANDOMCONTEXT; | 420 typedef FX_MTRANDOMCONTEXT const * FX_LPCMTRANDOMCONTEXT; |
| 392 #if _FXM_PLATFORM_ == _FXM_PLATFORM_WINDOWS_ | 421 #if _FXM_PLATFORM_ == _FXM_PLATFORM_WINDOWS_ |
| 393 FX_BOOL FX_GenerateCryptoRandom(FX_LPDWORD pBuffer, FX_INT32 iCount); | 422 FX_BOOL FX_GenerateCryptoRandom(FX_LPDWORD pBuffer, FX_INT32 iCount); |
| 394 #endif | 423 #endif |
| 395 #ifdef __cplusplus | 424 #ifdef __cplusplus |
| 396 } | 425 } |
| 397 #endif | 426 #endif |
| 398 #endif | 427 #endif |
| OLD | NEW |
