Chromium Code Reviews Chromium Code Reviews
Issue 419063002:
Fix the potential integer overflow from 'offset+size' in extension.h and fpdfview.cpp (Closed)
Base URL: https://pdfium.googlesource.com/pdfium.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 PDFium Authors. All rights reserved. | 1 // Copyright 2014 PDFium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com | 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com |
| 6 | 6 |
| 7 #include "../include/fsdk_define.h" | 7 #include "../include/fsdk_define.h" |
| 8 #include "../include/fpdfview.h" | 8 #include "../include/fpdfview.h" |
| 9 #include "../include/fsdk_rendercontext.h" | 9 #include "../include/fsdk_rendercontext.h" |
| 10 #include "../include/fpdf_progressive.h" | 10 #include "../include/fpdf_progressive.h" |
| 11 #include "../include/fpdf_ext.h" | 11 #include "../include/fpdf_ext.h" |
| 12 | 12 #include "../../third_party/numerics/safe_conversions_impl.h" |
| 13 | 13 |
| 14 CPDF_CustomAccess::CPDF_CustomAccess(FPDF_FILEACCESS* pFileAccess) | 14 CPDF_CustomAccess::CPDF_CustomAccess(FPDF_FILEACCESS* pFileAccess) |
| 15 { | 15 { |
| 16 m_FileAccess = *pFileAccess; | 16 m_FileAccess = *pFileAccess; |
| 17 m_BufferOffset = (FX_DWORD)-1; | 17 m_BufferOffset = (FX_DWORD)-1; |
| 18 } | 18 } |
| 19 | 19 |
| 20 FX_BOOL CPDF_CustomAccess::GetByte(FX_DWORD pos, FX_BYTE& ch) | 20 FX_BOOL CPDF_CustomAccess::GetByte(FX_DWORD pos, FX_BYTE& ch) |
| 21 { | 21 { |
| 22 if (pos >= m_FileAccess.m_FileLen) return FALSE; | 22 if (pos >= m_FileAccess.m_FileLen) return FALSE; |
| 23 if (m_BufferOffset == (FX_DWORD)-1 || pos < m_BufferOffset || pos >= m_B ufferOffset + 512) { | 23 if (m_BufferOffset == (FX_DWORD)-1 || pos < m_BufferOffset || pos >= m_B ufferOffset + 512) { |
| 24 // Need to read from file access | 24 // Need to read from file access |
| 25 m_BufferOffset = pos; | 25 m_BufferOffset = pos; |
| 26 int size = 512; | 26 int size = 512; |
| 27 if (pos + 512 > m_FileAccess.m_FileLen) | 27 if (pos + 512 > m_FileAccess.m_FileLen) |
| 28 size = m_FileAccess.m_FileLen - pos; | 28 size = m_FileAccess.m_FileLen - pos; |
| 29 if (!m_FileAccess.m_GetBlock(m_FileAccess.m_Param, m_BufferOffse t, m_Buffer, size)) | 29 if (!m_FileAccess.m_GetBlock(m_FileAccess.m_Param, m_BufferOffse t, m_Buffer, size)) |
| 30 return FALSE; | 30 return FALSE; |
| 31 } | 31 } |
| 32 ch = m_Buffer[pos - m_BufferOffset]; | 32 ch = m_Buffer[pos - m_BufferOffset]; |
| 33 return TRUE; | 33 return TRUE; |
| 34 } | 34 } |
| 35 | 35 |
| 36 FX_BOOL CPDF_CustomAccess::GetBlock(FX_DWORD pos, FX_LPBYTE pBuf, FX_DWORD size) | 36 FX_BOOL CPDF_CustomAccess::GetBlock(FX_DWORD pos, FX_LPBYTE pBuf, FX_DWORD size) |
| 37 { | 37 { |
| 38 » if (pos + size > m_FileAccess.m_FileLen) return FALSE; | 38 FX_SAFE_DWORD newPos = size; |
| 39 newPos += pos; | |
| 40 » if (!newPos.IsValid() || newPos.ValueOrDie() >= m_FileAccess.m_FileLen) return FALSE; | |
|
Tom Sepez
2014/07/30 18:50:25
nit: newline and indent rather than single-line if
| |
| 41 | |
| 39 return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, pos, pBuf, size); | 42 return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, pos, pBuf, size); |
| 40 } | 43 } |
| 41 | 44 |
| 42 FX_BOOL CPDF_CustomAccess::ReadBlock(void* buffer, FX_FILESIZE offset, size_t si ze) | 45 FX_BOOL CPDF_CustomAccess::ReadBlock(void* buffer, FX_FILESIZE offset, size_t si ze) |
| 43 { | 46 { |
| 44 » //» m_FileAccess = *pFileAccess; | 47 if (offset < 0) return FALSE; |
| 45 » //» m_BufferOffset = (FX_DWORD)-1; | 48 FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t>(size); |
| 46 » if (offset + size > m_FileAccess.m_FileLen) return FALSE; | 49 newPos += offset; |
| 50 » if (!newPos.IsValid() || newPos.ValueOrDie() >= m_FileAccess.m_FileLen) return FALSE; | |
|
Tom Sepez
2014/07/30 18:50:24
nit:ditto
| |
| 51 | |
| 47 return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, offset,(FX_LPBYTE) buffer, size); | 52 return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, offset,(FX_LPBYTE) buffer, size); |
| 48 | |
| 49 // return FALSE; | |
| 50 } | 53 } |
| 51 | 54 |
| 52 //0 bit: FPDF_POLICY_MACHINETIME_ACCESS | 55 //0 bit: FPDF_POLICY_MACHINETIME_ACCESS |
| 53 static FX_DWORD foxit_sandbox_policy = 0xFFFFFFFF; | 56 static FX_DWORD foxit_sandbox_policy = 0xFFFFFFFF; |
| 54 | 57 |
| 55 void FSDK_SetSandBoxPolicy(FPDF_DWORD policy, FPDF_BOOL enable) | 58 void FSDK_SetSandBoxPolicy(FPDF_DWORD policy, FPDF_BOOL enable) |
| 56 { | 59 { |
| 57 switch(policy) | 60 switch(policy) |
| 58 { | 61 { |
| 59 case FPDF_POLICY_MACHINETIME_ACCESS: | 62 case FPDF_POLICY_MACHINETIME_ACCESS: |
| (...skipping 225 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 285 | 288 |
| 286 class CMemFile FX_FINAL: public IFX_FileRead, public CFX_Object | 289 class CMemFile FX_FINAL: public IFX_FileRead, public CFX_Object |
| 287 { | 290 { |
| 288 public: | 291 public: |
| 289 CMemFile(FX_BYTE* pBuf, FX_FILESIZE size):m_pBuf(pBuf),m_size(size) {} | 292 CMemFile(FX_BYTE* pBuf, FX_FILESIZE size):m_pBuf(pBuf),m_size(size) {} |
| 290 | 293 |
| 291 virtual void Release() {delete this;} | 294 virtual void Release() {delete this;} |
| 292 virtual FX_FILESIZE GetSize() {return m_size;} | 295 virtual FX_FILESIZE GetSize() {return m_size;} |
| 293 virtual FX_BOOL ReadBlock(void* buffer, FX_FILESIZE offs et, size_t size) | 296 virtual FX_BOOL ReadBlock(void* buffer, FX_FILESIZE offs et, size_t size) |
| 294 { | 297 { |
| 295 » » if(offset+size > (FX_DWORD)m_size) return FALSE; | 298 if (offset < 0) return FALSE; |
| 299 | |
|
Tom Sepez
2014/07/30 18:50:25
nit: ditto.
| |
| 300 FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t >(size); | |
| 301 newPos += offset; | |
| 302 if (!newPos.IsValid() || newPos.ValueOrDie() >= (FX_DWORD)m_size ) return FALSE; | |
| 296 FXSYS_memcpy(buffer, m_pBuf+offset, size); | 303 FXSYS_memcpy(buffer, m_pBuf+offset, size); |
| 304 | |
| 297 return TRUE; | 305 return TRUE; |
| 298 } | 306 } |
| 299 private: | 307 private: |
| 300 FX_BYTE* m_pBuf; | 308 FX_BYTE* m_pBuf; |
| 301 FX_FILESIZE m_size; | 309 FX_FILESIZE m_size; |
| 302 }; | 310 }; |
| 303 DLLEXPORT FPDF_DOCUMENT STDCALL FPDF_LoadMemDocument(const void* data_buf, int s ize, FPDF_BYTESTRING password) | 311 DLLEXPORT FPDF_DOCUMENT STDCALL FPDF_LoadMemDocument(const void* data_buf, int s ize, FPDF_BYTESTRING password) |
| 304 { | 312 { |
| 305 CPDF_Parser* pParser = FX_NEW CPDF_Parser; | 313 CPDF_Parser* pParser = FX_NEW CPDF_Parser; |
| 306 pParser->SetPassword(password); | 314 pParser->SetPassword(password); |
| (...skipping 587 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 894 { | 902 { |
| 895 if (document == NULL) | 903 if (document == NULL) |
| 896 return NULL; | 904 return NULL; |
| 897 if (name == NULL || name[0] == 0) | 905 if (name == NULL || name[0] == 0) |
| 898 return NULL; | 906 return NULL; |
| 899 | 907 |
| 900 CPDF_Document* pDoc = (CPDF_Document*)document; | 908 CPDF_Document* pDoc = (CPDF_Document*)document; |
| 901 CPDF_NameTree name_tree(pDoc, FX_BSTRC("Dests")); | 909 CPDF_NameTree name_tree(pDoc, FX_BSTRC("Dests")); |
| 902 return name_tree.LookupNamedDest(pDoc, name); | 910 return name_tree.LookupNamedDest(pDoc, name); |
| 903 } | 911 } |
| OLD | NEW |
