diff options
| author | Dan Sinclair <dsinclair@chromium.org> | 2017-07-13 09:58:52 -0400 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-07-13 19:56:36 +0000 |
| commit | 0c99829cc38ed2191a71d16c34278e391411aa1b (patch) | |
| tree | dd7450e206067ec536c5bf5870775a42db50e845 | |
| parent | f55e72e0476e5f5699b887099f213982e207afd0 (diff) | |
| download | pdfium-0c99829cc38ed2191a71d16c34278e391411aa1b.tar.xz | |
Fix invalid write for util.printf
This CL fixes and invalid WRITE triggered by calling util.printf. We need to
verify that the integer format will be less then 260 characters.
Bug: chromium:740166
Change-Id: I1c9047101780582da5f39088568727e2c8b4c2d2
Reviewed-on: https://pdfium-review.googlesource.com/7630
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
| -rw-r--r-- | fpdfsdk/javascript/util.cpp | 21 | ||||
| -rw-r--r-- | testing/resources/javascript/bug_740166.in | 58 | ||||
| -rw-r--r-- | testing/resources/javascript/bug_740166_expected.txt | 0 |
3 files changed, 78 insertions, 1 deletions
diff --git a/fpdfsdk/javascript/util.cpp b/fpdfsdk/javascript/util.cpp index 100a5caab4..3338a3a126 100644 --- a/fpdfsdk/javascript/util.cpp +++ b/fpdfsdk/javascript/util.cpp @@ -150,9 +150,28 @@ bool util::printf(CJS_Runtime* pRuntime, CFX_WideString strSegment; switch (ParseDataType(&c_strFormat)) { - case UTIL_INT: + case UTIL_INT: { + int dot = c_strFormat.find(L".", 0); + if (dot != -1) { + size_t len = 0; + for (size_t i = dot + 1; i < c_strFormat.length(); ++i) { + wchar_t c = c_strFormat[i]; + if (std::iswdigit(c)) { + ++len; + continue; + } + break; + } + + // Windows has a max of ~261 characters in the format string of + // the form %0.261x. We're just going to bail out if the format + // would be over 3 or more characters long. + if (len > 2) + return false; + } strSegment.Format(c_strFormat.c_str(), params[iIndex].ToInt(pRuntime)); break; + } case UTIL_DOUBLE: strSegment.Format(c_strFormat.c_str(), params[iIndex].ToDouble(pRuntime)); diff --git a/testing/resources/javascript/bug_740166.in b/testing/resources/javascript/bug_740166.in new file mode 100644 index 0000000000..62bc912e31 --- /dev/null +++ b/testing/resources/javascript/bug_740166.in @@ -0,0 +1,58 @@ +{{header}} +{{object 1 0}} << + /Type /Catalog + /Pages 2 0 R + /AcroForm 4 0 R + /OpenAction 10 0 R +>> +endobj +{{object 2 0}} << + /Type /Pages + /Count 1 + /Kids [ + 3 0 R + ] +>> +endobj +% Page number 0. +{{object 3 0}} << + /Type /Page + /Parent 2 0 R + /Resources << + /Font <</F1 15 0 R>> + >> + /Contents [21 0 R] + /MediaBox [0 0 612 792] +>> +% Forms +{{object 4 0}} << + /Fields [5 0 R] +>> +% Field +{{object 5 0}} << + /FT /Tx + /T (MyField) + /Type /Annot + /Subtype /Widget + /Rect [100 200 150 250] +>> +% OpenAction action +{{object 10 0}} << + /Type /Action + /S /JavaScript + /JS 11 0 R +>> +endobj +% JS program to exexute +{{object 11 0}} << +>> +stream +app.alert("Value " + util.printf("= %0.769x", 1)); +endstream +endobj +{{xref}} +trailer << + /Root 1 0 R +>> +{{startxref}} +%%EOF diff --git a/testing/resources/javascript/bug_740166_expected.txt b/testing/resources/javascript/bug_740166_expected.txt new file mode 100644 index 0000000000..e69de29bb2 --- /dev/null +++ b/testing/resources/javascript/bug_740166_expected.txt |