diff options
author | Lei Zhang <thestig@chromium.org> | 2017-06-02 12:46:49 -0700 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-06-02 21:10:54 +0000 |
commit | d332e2d6d65724486def154f7486ba9088849c1d (patch) | |
tree | d1d524497fb74a48bc933fc9d13c95a67a76c777 | |
parent | 3db875920a253a8541642a2aa913f474b125d67f (diff) | |
download | pdfium-d332e2d6d65724486def154f7486ba9088849c1d.tar.xz |
Prevent OOB access in CXFA_FM2JSContext::IsIsoTimeFormat().
Change-Id: I3fe0460f3a4cfd7d48ccfc79d0256fc83d7fbac8
Reviewed-on: https://pdfium-review.googlesource.com/6235
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
-rw-r--r-- | xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp | 54 |
1 files changed, 24 insertions, 30 deletions
diff --git a/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp b/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp index 2da86eb896..3aab971229 100644 --- a/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp +++ b/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp @@ -1779,9 +1779,6 @@ bool CXFA_FM2JSContext::IsIsoTimeFormat(const char* pData, int32_t iPos = 0; int32_t iIndex = 0; while (iIndex < iZone) { - if (iIndex >= iZone) - break; - if (!std::isdigit(pData[iIndex])) return false; @@ -1818,43 +1815,44 @@ bool CXFA_FM2JSContext::IsIsoTimeFormat(const char* pData, iIndex += 2; } } - if (pData[iIndex] == '.') { - ++iIndex; - char strSec[4]; - strSec[3] = '\0'; - if (!std::isdigit(pData[iIndex])) - return false; - strSec[0] = pData[iIndex]; - if (!std::isdigit(pData[iIndex + 1])) + if (iIndex < iLength && pData[iIndex] == '.') { + constexpr int kSubSecondLength = 3; + if (iIndex + kSubSecondLength >= iLength) return false; - strSec[1] = pData[iIndex + 1]; - if (!std::isdigit(pData[iIndex + 2])) - return false; + ++iIndex; + char strSec[kSubSecondLength + 1]; + for (int i = 0; i < kSubSecondLength; ++i) { + char c = pData[iIndex + i]; + if (!std::isdigit(c)) + return false; + strSec[i] = c; + } + strSec[kSubSecondLength] = '\0'; - strSec[2] = pData[iIndex + 2]; iMilliSecond = FXSYS_atoi(strSec); if (iMilliSecond > 100) { iMilliSecond = 0; return false; } - iIndex += 3; + iIndex += kSubSecondLength; } - if (pData[iIndex] == 'z' || pData[iIndex] == 'Z') + + if (iIndex < iLength && FXSYS_tolower(pData[iIndex]) == 'z') return true; int32_t iSign = 1; - if (pData[iIndex] == '+') { - ++iIndex; - } else if (pData[iIndex] == '-') { - iSign = -1; - ++iIndex; + if (iIndex < iLength) { + if (pData[iIndex] == '+') { + ++iIndex; + } else if (pData[iIndex] == '-') { + iSign = -1; + ++iIndex; + } } iPos = 0; while (iIndex < iLength) { - if (iIndex >= iLength) - return false; if (!std::isdigit(pData[iIndex])) return false; @@ -1932,12 +1930,8 @@ bool CXFA_FM2JSContext::IsIsoDateTimeFormat(const char* pData, (iLength - iIndex != 15)) { return true; } - if (!IsIsoTimeFormat(pData + iIndex, iLength - iIndex, iHour, iMinute, - iSecond, iMillionSecond, iZoneHour, iZoneMinute)) { - return false; - } - - return true; + return IsIsoTimeFormat(pData + iIndex, iLength - iIndex, iHour, iMinute, + iSecond, iMillionSecond, iZoneHour, iZoneMinute); } // static |