Fix bounds checking in CJS_PublicMethods::MakeRegularDate().

fpdfsdk/src/javascript/PublicMethods.cpp

Index: fpdfsdk/src/javascript/PublicMethods.cpp
diff --git a/fpdfsdk/src/javascript/PublicMethods.cpp b/fpdfsdk/src/javascript/PublicMethods.cpp
index bd4acaef9a120b763ca0a782f0acc8aed52f280a..a2e441194c794d329e8f903ac21a8e1aec46893b 100644
--- a/fpdfsdk/src/javascript/PublicMethods.cpp
+++ b/fpdfsdk/src/javascript/PublicMethods.cpp
@@ -624,7 +624,7 @@ double CJS_PublicMethods::MakeRegularDate(const CFX_WideString & value, const CF
 	FX_BOOL bPm = FALSE;
 	FX_BOOL bExit = FALSE;
 	bWrongFormat = FALSE;
-	
+
 	int i=0;
 	int j=0;
 
@@ -632,7 +632,7 @@ double CJS_PublicMethods::MakeRegularDate(const CFX_WideString & value, const CF
 	{
 		if (bExit) break;
 
-		FX_WCHAR c = format.GetAt(i);		
+		FX_WCHAR c = format.GetAt(i);
 		switch (c)
 		{
 			case ':':
@@ -643,7 +643,7 @@ double CJS_PublicMethods::MakeRegularDate(const CFX_WideString & value, const CF
 				i++;
 				j++;
 				break;
-				
+
 			case 'y':
 			case 'm':
 			case 'd':
@@ -654,9 +654,10 @@ double CJS_PublicMethods::MakeRegularDate(const CFX_WideString & value, const CF
 			case 't':
 				{
 					int oldj = j;
-					int nSkip = 0;
+				        int nSkip = 0;
+                                        int remaining = format.GetLength() - i - 1;

[jun_fang, 2014/07/18 17:30:59]

should alignment with the previous line? I saw it didn't align with the previous
one when I checked the raw file.

[Tom Sepez, 2014/07/18 18:00:04]

I "untabified" the entire function. That should make the aligmnent consistent
regardless of tab settings.

 
-					if (format.GetAt(i+1) != c)
+					if (remaining < 1 || format.GetAt(i+1) != c)

[jun_fang, 2014/07/18 17:30:59]

remaining == 1 rather than remaining < 1

for example:
int remaining = format.GetLength() - i - 1;
let's assume 'format.GetLength() = 1, i =0'
the remaining is 0 can meet the if condition, but format.GetAt(1) is incorrect
access.

[Tom Sepez, 2014/07/18 18:00:04]

No, its an "or", not an "and", so when remaining is 0, 0 is < 1 and we
short-circuit the evaluation of GetAt(i+1) and go directly to the switch, which
doesn't depend upon the char at i+i.

 					{
 						switch (c)
 						{
@@ -695,13 +696,13 @@ double CJS_PublicMethods::MakeRegularDate(const CFX_WideString & value, const CF
 								j += nSkip;
 								break;
 							case 't':
-								bPm = value.GetAt(i) == 'p';
+                                                                bPm = (j < value.GetLength() && value.GetAt(j) == 'p');
 								i++;
 								j++;
 								break;
-						}					
+						}
 					}
-					else if (format.GetAt(i+1) == c && format.GetAt(i+2) != c)
+					else if (remaining < 2 || format.GetAt(i+2) != c)

[jun_fang, 2014/07/18 17:30:59]

remaining == 2

 					{
 						switch (c)
 						{
@@ -741,13 +742,13 @@ double CJS_PublicMethods::MakeRegularDate(const CFX_WideString & value, const CF
 								j += nSkip;
 								break;
 							case 't':
-								bPm = (value.GetAt(j) == 'p' && value.GetAt(j+1) == 'm');
+								bPm = (j + 1 < value.GetLength() && value.GetAt(j) == 'p' && value.GetAt(j+1) == 'm');
 								i += 2;
 								j += 2;
 								break;
 						}
 					}
-					else if (format.GetAt(i+1) == c && format.GetAt(i+2) == c && format.GetAt(i+3) != c)
+					else if (remaining < 3 || format.GetAt(i+3) != c)

[jun_fang, 2014/07/18 17:30:59]

remaining == 3

 					{
 						switch (c)
 						{
@@ -766,7 +767,7 @@ double CJS_PublicMethods::MakeRegularDate(const CFX_WideString & value, const CF
 											break;
 										}
 									}
-									
+
 									if (!bFind)
 									{
 										nMonth = ParseStringInteger(value, j, nSkip, 3);
@@ -783,7 +784,7 @@ double CJS_PublicMethods::MakeRegularDate(const CFX_WideString & value, const CF
 								break;
 						}
 					}
-					else if (format.GetAt(i+1) == c && format.GetAt(i+2) == c && format.GetAt(i+3) == c && format.GetAt(i+4) != c)
+					else if (remaining < 4 || format.GetAt(i+4) != c)

[jun_fang, 2014/07/18 17:30:59]

remaining == 4

 					{
 						switch (c)
 						{
@@ -815,7 +816,7 @@ double CJS_PublicMethods::MakeRegularDate(const CFX_WideString & value, const CF
 											break;
 										}
 									}
-									
+
 									if (!bFind)
 									{
 										nMonth = ParseStringInteger(value, j, nSkip, 4);
@@ -828,11 +829,11 @@ double CJS_PublicMethods::MakeRegularDate(const CFX_WideString & value, const CF
 								i += 4;
 								j += 4;
 								break;
-						}					
+						}
 					}
 					else
 					{
-						if (format.GetAt(i) != value.GetAt(j))
+						if (j >= value.GetLength() || format.GetAt(i) != value.GetAt(j))
 						{
 							bWrongFormat = TRUE;
 							bExit = TRUE;
@@ -840,7 +841,7 @@ double CJS_PublicMethods::MakeRegularDate(const CFX_WideString & value, const CF
 						i++;
 						j++;
 					}
-					
+
 					if (oldj == j)
 					{
 						bWrongFormat = TRUE;
@@ -848,7 +849,7 @@ double CJS_PublicMethods::MakeRegularDate(const CFX_WideString & value, const CF
 					}
 				}
 
-				break;			
+				break;
 			default:
 				if (value.GetLength() <= j)
 				{
@@ -863,7 +864,7 @@ double CJS_PublicMethods::MakeRegularDate(const CFX_WideString & value, const CF
 				i++;
 				j++;
 				break;
-		}		
+		}
 	}
 
 	if (bPm) nHour += 12;