diff options
author | Bo Xu <bo_xu@foxitsoftware.com> | 2014-08-02 15:13:46 -0700 |
---|---|---|
committer | Bo Xu <bo_xu@foxitsoftware.com> | 2014-08-02 15:13:46 -0700 |
commit | 465c2a84ba709d932040c9e80db508e93c138da6 (patch) | |
tree | 07396342b637775b5350e896ba99ac0834e6e2f9 | |
parent | 90d1f9b9fdcbdab22beec36ceddee782ac0f8a39 (diff) | |
download | pdfium-chromium/2116.tar.xz |
Fix buffer size boundary check offset by 1chromium/2117chromium/2116chromium/2115chromium/2114chromium/2113
When newPos == file size, the current block will not be read or Get. If this block is a crucial part of the document (like m_pTrailer), the program will exit with parse error and
the document will not be rendered.
BUG=None
R=jun_fang@foxitsoftware.com
Review URL: https://codereview.chromium.org/440563003
-rw-r--r-- | fpdfsdk/src/fpdfview.cpp | 46 |
1 files changed, 21 insertions, 25 deletions
diff --git a/fpdfsdk/src/fpdfview.cpp b/fpdfsdk/src/fpdfview.cpp index 63d4fbdcde..af24e71b94 100644 --- a/fpdfsdk/src/fpdfview.cpp +++ b/fpdfsdk/src/fpdfview.cpp @@ -35,27 +35,25 @@ FX_BOOL CPDF_CustomAccess::GetByte(FX_DWORD pos, FX_BYTE& ch) FX_BOOL CPDF_CustomAccess::GetBlock(FX_DWORD pos, FX_LPBYTE pBuf, FX_DWORD size) { - FX_SAFE_DWORD newPos = size; - newPos += pos; - if (!newPos.IsValid() || newPos.ValueOrDie() >= m_FileAccess.m_FileLen) { - return FALSE; - } - - return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, pos, pBuf, size); + FX_SAFE_DWORD newPos = size; + newPos += pos; + if (!newPos.IsValid() || newPos.ValueOrDie() > m_FileAccess.m_FileLen) { + return FALSE; + } + return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, pos, pBuf, size); } FX_BOOL CPDF_CustomAccess::ReadBlock(void* buffer, FX_FILESIZE offset, size_t size) { - if (offset < 0) { - return FALSE; - } - FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t>(size); - newPos += offset; - if (!newPos.IsValid() || newPos.ValueOrDie() >= m_FileAccess.m_FileLen) { - return FALSE; - } - - return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, offset,(FX_LPBYTE) buffer, size); + if (offset < 0) { + return FALSE; + } + FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t>(size); + newPos += offset; + if (!newPos.IsValid() || newPos.ValueOrDie() > m_FileAccess.m_FileLen) { + return FALSE; + } + return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, offset,(FX_LPBYTE) buffer, size); } //0 bit: FPDF_POLICY_MACHINETIME_ACCESS @@ -301,15 +299,13 @@ public: virtual FX_FILESIZE GetSize() {return m_size;} virtual FX_BOOL ReadBlock(void* buffer, FX_FILESIZE offset, size_t size) { - if (offset < 0) { - return FALSE; - } - - FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t>(size); - newPos += offset; - if (!newPos.IsValid() || newPos.ValueOrDie() >= (FX_DWORD)m_size) return FALSE; + if (offset < 0) { + return FALSE; + } + FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t>(size); + newPos += offset; + if (!newPos.IsValid() || newPos.ValueOrDie() > (FX_DWORD)m_size) return FALSE; FXSYS_memcpy(buffer, m_pBuf+offset, size); - return TRUE; } private: |