fpdfsdk/src/javascript/app.cpp - Issue 383563002: Fix an out-of-boundary issue for wide string

Side by Side Diff: fpdfsdk/src/javascript/app.cpp

Issue 383563002: Fix an out-of-boundary issue for wide string (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master

Patch Set: Created 6 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2014 PDFium Authors. All rights reserved.	1 // Copyright 2014 PDFium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com	5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com

6	6

7 #include "../../include/javascript/JavaScript.h"	7 #include "../../include/javascript/JavaScript.h"

8 #include "../../include/javascript/IJavaScript.h"	8 #include "../../include/javascript/IJavaScript.h"

9 #include "../../include/javascript/JS_Define.h"	9 #include "../../include/javascript/JS_Define.h"

10 #include "../../include/javascript/JS_Object.h"	10 #include "../../include/javascript/JS_Object.h"

(...skipping 1093 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1104 int nLength = 2048;	1104 int nLength = 2048;

1105 char* pBuff = new char[nLength];	1105 char* pBuff = new char[nLength];

1106 nLength = pApp->JS_appResponse(swQuestion, swTitle, swDefault, swLabel, bPassWord, pBuff, nLength);	1106 nLength = pApp->JS_appResponse(swQuestion, swTitle, swDefault, swLabel, bPassWord, pBuff, nLength);

1107 if(nLength<=0)	1107 if(nLength<=0)

1108 {	1108 {

1109 vRet.SetNull();	1109 vRet.SetNull();

1110 return FALSE;	1110 return FALSE;

1111 }	1111 }

1112 else	1112 else

1113 {	1113 {

1114 » » nLength = nLength>2046?2046:nLength;	1114 » » nLength = nLength>2048?2048:nLength;
	palmer 2014/07/10 19:10:55 Why 2048? It looks like you are removing the code Why 2048? It looks like you are removing the code that ensured the string terminated with a 0 character/short? Why? Bo Xu 2014/07/10 19:22:16 In line 1105, the pBuff is newed to be a length of Show quoted text On 2014/07/10 19:10:55, Chromium Palmer wrote: > Why 2048? > > It looks like you are removing the code that ensured the string terminated with > a 0 character/short? Why? In line 1105, the pBuff is newed to be a length of 2048, so this is to keep the length within range. I agree this is kinda not strict. Any suggestion to remedy this? palmer 2014/07/11 00:12:29 So, does it matter if we effectively truncate the Show quoted text > In line 1105, the pBuff is newed to be a length of 2048, so this is to keep the > length within range. I agree this is kinda not strict. Any suggestion to remedy > this? So, does it matter if we effectively truncate the string? If pApp->JS_appResponse returns an nLength > than the # of bytes we allocated for \|pBuff\|, it is telling us that we needed to have allocated a larger string. Some applications would then delete[] pBuff, then re-allocate pBuff to the new nLength, then re-invoke pApp->JS_appResponse. But, if it is OK to set swResponse to a string that we know is not the full result of pApp->JS_appResponse, then we should at least ensure that the string is 0-terminated. Probably. Right? How about this: nLength = pApp->JS_appResponse(swQuestion, swTitle, swDefault, swLabel, bPassWord, pBuff, nLength); if (nLength <= 0) { vRet.SetNull(); return FALSE; } else { nLength = nLength > sizeof(pBuff) ? sizeof(pBuff) : nLength; pBuff[nLength - 1] = '\0'; pBuff[nLength - 2] = '\0'; vRet = swResponse = CFX_WideString::FromUTF16LE((unsigned short)pBuff, nLength / 2); } Bo Xu* 2014/07/11 03:02:38 The SDK only supports 2048 byte, so here is a hard The SDK only supports 2048 byte, so here is a hard cut. The code here is not that straightforward, the WideString is zeroed in CFX_WideString::FromUTF16LE, in CFX_WideString::GetBuffer, in static CFX_StringDataW* FX_AllocStringW. So we don't have to zero out here. It's not that obvious though.
1115 pBuff[nLength] = 0;	1115 » » swResponse = CFX_WideString::FromUTF16LE((unsigned short*)pBuff, nLength/2);

1116 pBuff[nLength+1] = 0;

1117 » » swResponse = CFX_WideString::FromUTF16LE((unsigned short*)pBuff, nLength);

1118 vRet = swResponse;	1116 vRet = swResponse;

1119 }	1117 }

1120 delete[] pBuff;	1118 delete[] pBuff;

1121	1119

1122 return TRUE;	1120 return TRUE;

1123 }	1121 }

1124	1122

1125 FX_BOOL app::media(OBJ_PROP_PARAMS)	1123 FX_BOOL app::media(OBJ_PROP_PARAMS)

1126 {	1124 {

1127 return FALSE;	1125 return FALSE;

1128 }	1126 }

1129	1127

1130 FX_BOOL app::execDialog(OBJ_METHOD_PARAMS)	1128 FX_BOOL app::execDialog(OBJ_METHOD_PARAMS)

1131 {	1129 {

1132 return TRUE;	1130 return TRUE;

1133 }	1131 }

1134	1132

OLD	NEW

« no previous file with comments | « no previous file | fpdfsdk/src/jsapi/fxjs_v8.cpp » ('j') | fpdfsdk/src/jsapi/fxjs_v8.cpp » ('J')