fpdfsdk/src/fpdfview.cpp - Issue 419063002: Fix the potential integer overflow from 'offset+size' in extension.h and fpdfview.cpp

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: fpdfsdk/src/fpdfview.cpp

Issue 419063002: Fix the potential integer overflow from 'offset+size' in extension.h and fpdfview.cpp (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master

Patch Set: Created 6 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: fpdfsdk/src/fpdfview.cpp

diff --git a/fpdfsdk/src/fpdfview.cpp b/fpdfsdk/src/fpdfview.cpp

index b950ed8641556345cb8642c3f574933af66a55c7..c7b6f487e3bac3d2137d7d810eb94b49a1a16911 100644

--- a/fpdfsdk/src/fpdfview.cpp

+++ b/fpdfsdk/src/fpdfview.cpp

@@ -9,7 +9,7 @@

#include "../include/fsdk_rendercontext.h"

#include "../include/fpdf_progressive.h"

#include "../include/fpdf_ext.h"

+#include "../../third_party/numerics/safe_conversions_impl.h"

CPDF_CustomAccess::CPDF_CustomAccess(FPDF_FILEACCESS* pFileAccess)

{

@@ -35,18 +35,21 @@ FX_BOOL CPDF_CustomAccess::GetByte(FX_DWORD pos, FX_BYTE& ch)

FX_BOOL CPDF_CustomAccess::GetBlock(FX_DWORD pos, FX_LPBYTE pBuf, FX_DWORD size)

{

- if (pos + size > m_FileAccess.m_FileLen) return FALSE;

+ FX_SAFE_DWORD newPos = size;

+ newPos += pos;

+ if (!newPos.IsValid() || newPos.ValueOrDie() >= m_FileAccess.m_FileLen) return FALSE;

Tom Sepez 2014/07/30 18:50:25 nit: newline and indent rather than single-line if

return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, pos, pBuf, size);

}

FX_BOOL CPDF_CustomAccess::ReadBlock(void* buffer, FX_FILESIZE offset, size_t size)

{

- // m_FileAccess = *pFileAccess;

- // m_BufferOffset = (FX_DWORD)-1;

- if (offset + size > m_FileAccess.m_FileLen) return FALSE;

- return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, offset,(FX_LPBYTE) buffer, size);

+ if (offset < 0) return FALSE;

+ FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t>(size);

+ newPos += offset;

+ if (!newPos.IsValid() || newPos.ValueOrDie() >= m_FileAccess.m_FileLen) return FALSE;

Tom Sepez 2014/07/30 18:50:24 nit:ditto

- // return FALSE;

+ return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, offset,(FX_LPBYTE) buffer, size);

}

//0 bit: FPDF_POLICY_MACHINETIME_ACCESS

@@ -292,8 +295,13 @@ public:

virtual FX_FILESIZE GetSize() {return m_size;}

virtual FX_BOOL ReadBlock(void* buffer, FX_FILESIZE offset, size_t size)

{

- if(offset+size > (FX_DWORD)m_size) return FALSE;

+ if (offset < 0) return FALSE;

Tom Sepez 2014/07/30 18:50:25 nit: ditto.

+ FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t>(size);

+ newPos += offset;

+ if (!newPos.IsValid() || newPos.ValueOrDie() >= (FX_DWORD)m_size) return FALSE;

FXSYS_memcpy(buffer, m_pBuf+offset, size);

return TRUE;

}

private:

« core/src/fxcrt/extension.h ('K') | « core/src/fxcrt/extension.h ('k') | no next file » | no next file with comments »