Issue 383563002: Fix an out-of-boundary issue for wide string

Issue 383563002: Fix an out-of-boundary issue for wide string (Closed)

Created:
6 years, 5 months ago by Bo Xu

Modified:
6 years, 5 months ago

Reviewers:
palmer, jam

CC:
pdfium-reviews_googlegroups.com

Base URL:
https://pdfium.googlesource.com/pdfium.git@master

Visibility:
Public.

More Reviews

Description

Fix an out-of-boundary issue for wide string BUG=381521 R=palmer@chromium.org Committed: https://pdfium.googlesource.com/pdfium/+/8daab31

Patch Set 2 : Explicitly compute string length in caller #

Patch Set 4 : Add WStringLength function #

Created: 6 years, 5 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+69 lines, -65 lines)			Patch
M	core/include/fxcrt/fx_string.h	View	1 2 3	1 chunk	+4 lines, -2 lines	0 comments	Download
M	core/src/fxcrt/fx_basic_util.cpp	View	1	1 chunk	+1 line, -1 line	0 comments	Download
M	core/src/fxcrt/fx_basic_wstring.cpp	View	1 2 3	3 chunks	+14 lines, -14 lines	0 comments	Download
M	core/src/fxge/win32/fx_win32_device.cpp	View	1 2 3	1 chunk	+3 lines, -1 line	0 comments	Download
M	fpdfsdk/src/fpdfdoc.cpp	View	1 2 3	1 chunk	+2 lines, -1 line	0 comments	Download
M	fpdfsdk/src/fpdftext.cpp	View	1 2 3	2 chunks	+3 lines, -2 lines	0 comments	Download
M	fpdfsdk/src/javascript/Document.cpp	View	1 2	18 chunks	+31 lines, -31 lines	0 comments	Download
M	fpdfsdk/src/javascript/app.cpp	View	1 2	2 chunks	+10 lines, -12 lines	0 comments	Download
M	fpdfsdk/src/jsapi/fxjs_v8.cpp	View		1 chunk	+1 line, -1 line	0 comments	Download

Messages

Total messages: 13 (0 generated)

Expand Messages | Collapse Messages

Bo Xu

@Palmer, in https://code.google.com/p/chromium/issues/detail?id=381521#c6, you mentioned about computing the |len| in the caller. I looked at ...

6 years, 5 months ago (2014-07-10 16:26:12 UTC) #2

palmer

> @Palmer, in https://code.google.com/p/chromium/issues/detail?id=381521#c6, you > mentioned about computing the |len| in the caller. I ...

6 years, 5 months ago (2014-07-10 19:06:47 UTC) #3

> @Palmer, in https://code.google.com/p/chromium/issues/detail?id=381521#c6, you
> mentioned about computing the |len| in the caller. I looked at the 5 callers,
3
> of them needs to compute the length inside. Computing them outside seems
> redundant (considering FPDF_WIDESTRING is not even a class but just a short*
> type, otherwise could use a member function getLength()).

The idea of the callee determining the length of a string (as in e.g. strcpy)
was a historical mistake, and we should not continue it. The core problem is
that the callee has to assume that the string does indeed end in a NUL byte, but
that assumption does not always hold. The caller, not the callee, must have (or,
should have; or, at least can have) the necessary information; the callee
sometimes cannot have that information and ideally should not have to make any
potentially-false assumptions about its input.

Additionally, the "length or magical -1" interface of the FromUTF16LE function
makes the function harder to reason about. Simple interfaces that always behave
the same way are easier to reason about.

Finally, it seems I was wrong in
https://code.google.com/p/chromium/issues/detail?id=381521#c6 — there are
currently 2 callers that make use of the default -1 value for the length
argument:

~/chromium/src/third_party/pdfium $ search -C FromUTF16LE -v
[*] ./fpdfsdk/src/fpdfdoc.cpp:39:   CFX_WideString wstr =
CFX_WideString::FromUTF16LE(title);
./fpdfsdk/src/fpdftext.cpp:165:        
textpageFind->FindFirst(CFX_WideString::FromUTF16LE(findwhat),flags,start_index);
./fpdfsdk/src/javascript/app.cpp:1117:          swResponse =
CFX_WideString::FromUTF16LE((unsigned short*)pBuff, nLength);
./core/src/fxcrt/fx_basic_buffer.cpp:374:    str =
CFX_WideString::FromUTF16LE((const unsigned short*)(FX_LPCSTR)encoded,
encoded.GetLength());
[*] ./core/src/fxge/win32/fx_win32_device.cpp:331:            CFX_WideString
wsName = CFX_WideString::FromUTF16LE((const unsigned
short*)VariantNames[i].m_pVariantName);

What is the 3rd one?

Anyway, (a) callee-must-assume is a bad idea; and (b) it's easy to fix a handful
of callers.

palmer

I think you should change the interface of FromUTF16LE and FromUTF8 (and others?) so that ...

6 years, 5 months ago (2014-07-10 19:10:55 UTC) #4

Bo Xu

On 2014/07/10 19:10:55, Chromium Palmer wrote: > I think you should change the interface of ...

6 years, 5 months ago (2014-07-10 19:22:10 UTC) #5

Bo Xu

https://codereview.chromium.org/383563002/diff/1/fpdfsdk/src/javascript/app.cpp File fpdfsdk/src/javascript/app.cpp (right): https://codereview.chromium.org/383563002/diff/1/fpdfsdk/src/javascript/app.cpp#newcode1114 fpdfsdk/src/javascript/app.cpp:1114: nLength = nLength>2048?2048:nLength; On 2014/07/10 19:10:55, Chromium Palmer wrote: ...

6 years, 5 months ago (2014-07-10 19:22:16 UTC) #6

palmer

6 years, 5 months ago (2014-07-11 00:12:29 UTC) #7

Bo Xu

6 years, 5 months ago (2014-07-11 03:02:38 UTC) #8

palmer

Definitely better to use a library function than inlining your own wcslen/strlen equivalent. If wcslen ...

6 years, 5 months ago (2014-07-12 00:54:39 UTC) #10

Bo Xu

wcslen cannot take const unsigned short*, so I wrote a function. https://codereview.chromium.org/383563002/diff/40001/core/src/fxcrt/fx_basic_wstring.cpp File core/src/fxcrt/fx_basic_wstring.cpp (right): ...

6 years, 5 months ago (2014-07-12 05:18:04 UTC) #11

Bo Xu

6 years, 5 months ago (2014-07-14 19:14:17 UTC) #13

Message was sent while issue was closed.

Committed patchset #4 manually as r8daab31 (presubmit successful).

Expand Messages | Collapse Messages