core/src/fxcrt/extension.h - Issue 322333002: Fix the potential integer overflow from "offset + size"

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: core/src/fxcrt/extension.h

Issue 322333002: Fix the potential integer overflow from "offset + size" (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master

Patch Set: Created 6 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: core/src/fxcrt/extension.h

diff --git a/core/src/fxcrt/extension.h b/core/src/fxcrt/extension.h

index db35387908b0b549dfcfa2e24f78cfee359fe314..46684daf002734c8cd173c5707b7d038e476a8fc 100644

--- a/core/src/fxcrt/extension.h

+++ b/core/src/fxcrt/extension.h

@@ -6,6 +6,9 @@

#ifndef _FXCRT_EXTENSION_IMP_

#define _FXCRT_EXTENSION_IMP_

+#include "../../../third_party/numerics/safe_math.h"

class IFXCRT_FileAccess

{

public:

@@ -181,9 +184,13 @@ public:

}

virtual FX_BOOL SetRange(FX_FILESIZE offset, FX_FILESIZE size)

{

- if (offset < 0 || (size_t)(offset + size) > m_nCurSize) {

+ base::CheckedNumeric<FX_FILESIZE> safe_offset = offset;

+ safe_offset += size;

+ if (offset <= 0 || size <= 0 || !safe_offset.IsValid() || safe_offset.ValueOrDie() > m_nCurSize) {

return FALSE;

}

m_nOffset = (size_t)offset, m_nSize = (size_t)size;

m_bUseRange = TRUE;

m_nCurPos = m_nOffset;

@@ -198,13 +205,22 @@ public:

if (!buffer || !size) {

return FALSE;

}

+ base::CheckedNumeric<FX_FILESIZE> safe_offset = offset;

if (m_bUseRange) {

- offset += (FX_FILESIZE)m_nOffset;

+ safe_offset += m_nOffset;

}

- if ((size_t)offset + size > m_nCurSize) {

+ if (!safe_offset.IsValid())

+ return FALSE;

+ base::CheckedNumeric<size_t> safe_size = size;

+ safe_size += safe_offset.ValueOrDie();

+ if (!safe_size.IsValid() || safe_size.ValueOrDie() > m_nCurSize) {

return FALSE;

}

- m_nCurPos = (size_t)offset + size;

+ m_nCurPos = safe_size.ValueOrDie();

if (m_dwFlags & FX_MEMSTREAM_Consecutive) {

FXSYS_memcpy32(buffer, (FX_LPBYTE)m_Blocks[0] + (size_t)offset, size);

return TRUE;

@@ -250,7 +266,12 @@ public:

offset += (FX_FILESIZE)m_nOffset;

}

if (m_dwFlags & FX_MEMSTREAM_Consecutive) {

- m_nCurPos = (size_t)offset + size;

+ base::CheckedNumeric<size_t> safe_size = size;

+ safe_size += offset;

+ if (!safe_size.IsValid())

+ return FALSE;

+ m_nCurPos = safe_size.ValueOrDie();

if (m_nCurPos > m_nTotalSize) {

m_nTotalSize = (m_nCurPos + m_nGrowSize - 1) / m_nGrowSize * m_nGrowSize;

if (m_Blocks.GetSize() < 1) {

@@ -270,10 +291,16 @@ public:

}

return TRUE;

}

- if (!ExpandBlocks((size_t)offset + size)) {

+ base::CheckedNumeric<size_t> safe_size = size;

+ safe_size += offset;

+ if (!safe_size.IsValid())

+ return FALSE;

+ if (!ExpandBlocks(safe_size.ValueOrDie())) {

return FALSE;

}

- m_nCurPos = (size_t)offset + size;

+ m_nCurPos = safe_size.ValueOrDie();

size_t nStartBlock = (size_t)offset / m_nGrowSize;

offset -= (FX_FILESIZE)(nStartBlock * m_nGrowSize);

while (size) {

« core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp ('K') | « core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp ('k') | no next file » | no next file with comments »