diff options
| author | npm <npm@chromium.org> | 2016-10-04 10:15:55 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-10-04 10:15:55 -0700 |
| commit | 89f9ee3b8f3b4756f05ff48055f4bff7353201e2 (patch) | |
| tree | 5f240641f202d041eef3424ed7db9e9492e49764 | |
| parent | 78c271dd9ee883f4e31e41a8adda8e615c84ad63 (diff) | |
| download | pdfium-89f9ee3b8f3b4756f05ff48055f4bff7353201e2.tar.xz | |
Use FX_SAFE_UINT32 on CPDF_ToUnicodeMap::Load
m_Map maps to unsigned integer, but m_MultiCharBuf.GetLength() returns
an integer. There will be integer overflow if the length is big, and
UBSAN will complain. Thus, using FX_SAFE_UINT32. Replacing with uint32
would work as well: the point is to consider the length as uint instead
of int.
BUG=chromium:652232
Review-Url: https://codereview.chromium.org/2393573002
| -rw-r--r-- | core/fpdfapi/fpdf_font/fpdf_font.cpp | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/core/fpdfapi/fpdf_font/fpdf_font.cpp b/core/fpdfapi/fpdf_font/fpdf_font.cpp index cff5223a00..825cd61b52 100644 --- a/core/fpdfapi/fpdf_font/fpdf_font.cpp +++ b/core/fpdfapi/fpdf_font/fpdf_font.cpp @@ -18,6 +18,7 @@ #include "core/fpdfapi/fpdf_parser/cpdf_simple_parser.h" #include "core/fpdfapi/fpdf_parser/cpdf_stream_acc.h" #include "core/fxcrt/fx_ext.h" +#include "core/fxcrt/fx_safe_types.h" #include "core/fxge/fx_freetype.h" #include "third_party/base/numerics/safe_conversions.h" #include "third_party/base/stl_util.h" @@ -224,7 +225,10 @@ void CPDF_ToUnicodeMap::Load(CPDF_Stream* pStream) { if (len == 1) { m_Map[srccode] = destcode.GetAt(0); } else { - m_Map[srccode] = m_MultiCharBuf.GetLength() * 0x10000 + 0xffff; + FX_SAFE_UINT32 uni = m_MultiCharBuf.GetLength(); + uni *= 0x10000; + uni += 0xffff; + m_Map[srccode] = uni.ValueOrDie(); m_MultiCharBuf.AppendChar(destcode.GetLength()); m_MultiCharBuf << destcode; } @@ -255,7 +259,10 @@ void CPDF_ToUnicodeMap::Load(CPDF_Stream* pStream) { if (len == 1) { m_Map[code] = destcode.GetAt(0); } else { - m_Map[code] = m_MultiCharBuf.GetLength() * 0x10000 + 0xffff; + FX_SAFE_UINT32 uni = m_MultiCharBuf.GetLength(); + uni *= 0x10000; + uni += 0xffff; + m_Map[code] = uni.ValueOrDie(); m_MultiCharBuf.AppendChar(destcode.GetLength()); m_MultiCharBuf << destcode; } @@ -278,7 +285,10 @@ void CPDF_ToUnicodeMap::Load(CPDF_Stream* pStream) { } else { retcode = StringDataAdd(destcode); } - m_Map[code] = m_MultiCharBuf.GetLength() * 0x10000 + 0xffff; + FX_SAFE_UINT32 uni = m_MultiCharBuf.GetLength(); + uni *= 0x10000; + uni += 0xffff; + m_Map[code] = uni.ValueOrDie(); m_MultiCharBuf.AppendChar(retcode.GetLength()); m_MultiCharBuf << retcode; destcode = retcode; |