summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJUN FANG <jun_fang@foxitsoftware.com>2015-04-11 09:33:23 -0700
committerJUN FANG <jun_fang@foxitsoftware.com>2015-04-11 09:33:23 -0700
commitf265ee5a5f0e96d1a91111f4f27eb2f1edd8835a (patch)
tree61752f617913671b60e9c0cfb2f6c21fb652fc26
parent9c7b0940569ee5eb1794e8db4e47ecaf3a64315d (diff)
downloadpdfium-f265ee5a5f0e96d1a91111f4f27eb2f1edd8835a.tar.xz
Fix a heap buffer overflow issue in CPDF_CMap::GetNextChar
Add a check to make sure offset is less than the size of string in the function of GetNextChar(). BUG=471651 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1067073003
Diffstat
-rw-r--r--core/include/fpdfapi/fpdf_resource.h141
-rw-r--r--core/src/fpdfapi/fpdf_font/font_int.h4
-rw-r--r--core/src/fpdfapi/fpdf_font/fpdf_font.cpp4
-rw-r--r--core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp10
-rw-r--r--core/src/fpdfapi/fpdf_page/fpdf_page.cpp4
-rw-r--r--core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp4
-rw-r--r--core/src/fpdftext/fpdf_text.cpp2
7 files changed, 73 insertions, 96 deletions
diff --git a/core/include/fpdfapi/fpdf_resource.h b/core/include/fpdfapi/fpdf_resource.h
index 54e1c97ee7..3050985567 100644
--- a/core/include/fpdfapi/fpdf_resource.h
+++ b/core/include/fpdfapi/fpdf_resource.h
@@ -164,11 +164,13 @@ public:
return m_Font.GetFace();
}
-
-
- virtual FX_DWORD GetNextChar(FX_LPCSTR pString, int& offset) const
+ virtual FX_DWORD GetNextChar(FX_LPCSTR pString, int nStrLen, int& offset) const
{
- return (FX_BYTE)pString[offset++];
+ if (offset < 0 || nStrLen < 1) {
+ return 0;
+ }
+ FX_BYTE ch = offset < nStrLen ? pString[offset++] : pString[nStrLen-1];
+ return static_cast<FX_DWORD>(ch);
}
virtual int CountChar(FX_LPCSTR pString, int size) const
@@ -512,99 +514,74 @@ public:
virtual ~CPDF_CIDFont();
- FX_BOOL LoadGB2312();
- virtual int GlyphFromCharCode(FX_DWORD charcode, FX_BOOL *pVertGlyph = NULL);
- virtual int GetCharWidthF(FX_DWORD charcode, int level = 0);
- virtual void GetCharBBox(FX_DWORD charcode, FX_RECT& rect, int level = 0);
-
- FX_WORD CIDFromCharCode(FX_DWORD charcode) const;
+ FX_BOOL LoadGB2312();
+ virtual int GlyphFromCharCode(FX_DWORD charcode, FX_BOOL *pVertGlyph = NULL);
+ virtual int GetCharWidthF(FX_DWORD charcode, int level = 0);
+ virtual void GetCharBBox(FX_DWORD charcode, FX_RECT& rect, int level = 0);
+ FX_WORD CIDFromCharCode(FX_DWORD charcode) const;
- FX_BOOL IsTrueType()
+ FX_BOOL IsTrueType()
{
return !m_bType1;
}
+ virtual FX_DWORD GetNextChar(const FX_LPCSTR pString, int nStrLen, int& offset) const override;
+ virtual int CountChar(const FX_LPCSTR pString, int size) const;
+ virtual int AppendChar(FX_LPSTR str, FX_DWORD charcode) const;
+ virtual int GetCharSize(FX_DWORD charcode) const;
- virtual FX_DWORD GetNextChar(const FX_CHAR* pString, int& offset) const;
- virtual int CountChar(const FX_CHAR* pString, int size) const;
- virtual int AppendChar(FX_LPSTR str, FX_DWORD charcode) const;
- virtual int GetCharSize(FX_DWORD charcode) const;
-
-
- int GetCharset() const
+ int GetCharset() const
{
return m_Charset;
}
- FX_LPCBYTE GetCIDTransform(FX_WORD CID) const;
-
-
+ FX_LPCBYTE GetCIDTransform(FX_WORD CID) const;
+ virtual FX_BOOL IsVertWriting() const;
+ short GetVertWidth(FX_WORD CID) const;
+ void GetVertOrigin(FX_WORD CID, short& vx, short& vy) const;
+ virtual FX_BOOL IsUnicodeCompatible() const;
+ virtual FX_BOOL IsFontStyleFromCharCode(FX_DWORD charcode) const;
- virtual FX_BOOL IsVertWriting() const;
-
- short GetVertWidth(FX_WORD CID) const;
-
- void GetVertOrigin(FX_WORD CID, short& vx, short& vy) const;
-
- virtual FX_BOOL IsUnicodeCompatible() const;
- virtual FX_BOOL IsFontStyleFromCharCode(FX_DWORD charcode) const;
protected:
- friend class CPDF_Font;
- virtual FX_BOOL _Load();
- virtual FX_WCHAR _UnicodeFromCharCode(FX_DWORD charcode) const;
- virtual FX_DWORD _CharCodeFromUnicode(FX_WCHAR Unicode) const;
- int GetGlyphIndex(FX_DWORD unicodeb, FX_BOOL *pVertGlyph);
-
- CPDF_CMap* m_pCMap;
-
- CPDF_CMap* m_pAllocatedCMap;
-
- CPDF_CID2UnicodeMap* m_pCID2UnicodeMap;
-
- int m_Charset;
-
- FX_BOOL m_bType1;
-
- CPDF_StreamAcc* m_pCIDToGIDMap;
- FX_BOOL m_bCIDIsGID;
-
-
-
- FX_WORD m_DefaultWidth;
-
- FX_WORD* m_pAnsiWidths;
-
- FX_SMALL_RECT m_CharBBox[256];
-
- CFX_DWordArray m_WidthList;
-
- short m_DefaultVY;
-
- short m_DefaultW1;
-
- CFX_DWordArray m_VertMetrics;
-
-
- void LoadMetricsArray(CPDF_Array* pArray, CFX_DWordArray& result, int nElements);
-
- void LoadSubstFont();
+ friend class CPDF_Font;
+ virtual FX_BOOL _Load();
+ virtual FX_WCHAR _UnicodeFromCharCode(FX_DWORD charcode) const;
+ virtual FX_DWORD _CharCodeFromUnicode(FX_WCHAR Unicode) const;
+ int GetGlyphIndex(FX_DWORD unicodeb, FX_BOOL *pVertGlyph);
+
+ CPDF_CMap* m_pCMap;
+ CPDF_CMap* m_pAllocatedCMap;
+ CPDF_CID2UnicodeMap* m_pCID2UnicodeMap;
+ int m_Charset;
+ FX_BOOL m_bType1;
+ CPDF_StreamAcc* m_pCIDToGIDMap;
+ FX_BOOL m_bCIDIsGID;
+ FX_WORD m_DefaultWidth;
+ FX_WORD* m_pAnsiWidths;
+ FX_SMALL_RECT m_CharBBox[256];
+ CFX_DWordArray m_WidthList;
+ short m_DefaultVY;
+ short m_DefaultW1;
+ CFX_DWordArray m_VertMetrics;
+
+ void LoadMetricsArray(CPDF_Array* pArray, CFX_DWordArray& result, int nElements);
+ void LoadSubstFont();
FX_BOOL m_bAdobeCourierStd;
-
- CFX_CTTGSUBTable* m_pTTGSUBTable;
+ CFX_CTTGSUBTable* m_pTTGSUBTable;
};
-#define PDFCS_DEVICEGRAY 1
-
-#define PDFCS_DEVICERGB 2
-#define PDFCS_DEVICECMYK 3
-#define PDFCS_CALGRAY 4
-#define PDFCS_CALRGB 5
-#define PDFCS_LAB 6
-#define PDFCS_ICCBASED 7
-#define PDFCS_SEPARATION 8
-#define PDFCS_DEVICEN 9
-#define PDFCS_INDEXED 10
-#define PDFCS_PATTERN 11
+
+#define PDFCS_DEVICEGRAY 1
+#define PDFCS_DEVICERGB 2
+#define PDFCS_DEVICECMYK 3
+#define PDFCS_CALGRAY 4
+#define PDFCS_CALRGB 5
+#define PDFCS_LAB 6
+#define PDFCS_ICCBASED 7
+#define PDFCS_SEPARATION 8
+#define PDFCS_DEVICEN 9
+#define PDFCS_INDEXED 10
+#define PDFCS_PATTERN 11
class CPDF_ColorSpace : public CFX_Object
{
public:
diff --git a/core/src/fpdfapi/fpdf_font/font_int.h b/core/src/fpdfapi/fpdf_font/font_int.h
index 6048ba981d..43f4e302af 100644
--- a/core/src/fpdfapi/fpdf_font/font_int.h
+++ b/core/src/fpdfapi/fpdf_font/font_int.h
@@ -95,8 +95,8 @@ public:
FX_WORD CIDFromCharCode(FX_DWORD charcode) const;
FX_DWORD CharCodeFromCID(FX_WORD CID) const;
int GetCharSize(FX_DWORD charcode) const;
- FX_DWORD GetNextChar(const FX_CHAR* pString, int& offset) const;
- int CountChar(const FX_CHAR* pString, int size) const;
+ FX_DWORD GetNextChar(FX_LPCSTR pString, int nStrLen, int& offset) const;
+ int CountChar(FX_LPCSTR pString, int size) const;
int AppendChar(FX_LPSTR str, FX_DWORD charcode) const;
typedef enum {OneByte, TwoBytes, MixedTwoBytes, MixedFourBytes} CodingScheme;
protected:
diff --git a/core/src/fpdfapi/fpdf_font/fpdf_font.cpp b/core/src/fpdfapi/fpdf_font/fpdf_font.cpp
index dd646ca113..41bb95a89d 100644
--- a/core/src/fpdfapi/fpdf_font/fpdf_font.cpp
+++ b/core/src/fpdfapi/fpdf_font/fpdf_font.cpp
@@ -213,7 +213,7 @@ CFX_WideString CPDF_Font::DecodeString(const CFX_ByteString& str) const
FX_LPCSTR src_buf = str;
int src_pos = 0;
while (src_pos < src_len) {
- FX_DWORD charcode = GetNextChar(src_buf, src_pos);
+ FX_DWORD charcode = GetNextChar(src_buf, src_len, src_pos);
CFX_WideString unicode = UnicodeFromCharCode(charcode);
if (!unicode.IsEmpty()) {
result += unicode;
@@ -379,7 +379,7 @@ int CPDF_Font::GetStringWidth(FX_LPCSTR pString, int size)
int offset = 0;
int width = 0;
while (offset < size) {
- FX_DWORD charcode = GetNextChar(pString, offset);
+ FX_DWORD charcode = GetNextChar(pString, size, offset);
width += GetCharWidthF(charcode);
}
return width;
diff --git a/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp b/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp
index 1ce91f9ed6..0d193e2189 100644
--- a/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp
+++ b/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp
@@ -491,7 +491,7 @@ static int _CheckCodeRange(FX_LPBYTE codes, int size, _CMap_CodeRange* pRanges,
}
return 0;
}
-FX_DWORD CPDF_CMap::GetNextChar(FX_LPCSTR pString, int& offset) const
+FX_DWORD CPDF_CMap::GetNextChar(FX_LPCSTR pString, int nStrLen, int& offset) const
{
switch (m_CodingScheme) {
case OneByte:
@@ -524,7 +524,7 @@ FX_DWORD CPDF_CMap::GetNextChar(FX_LPCSTR pString, int& offset) const
}
return charcode;
}
- if (char_size == 4) {
+ if (char_size == 4 || offset == nStrLen) {
return 0;
}
codes[char_size ++] = ((FX_LPBYTE)pString)[offset++];
@@ -576,7 +576,7 @@ int CPDF_CMap::CountChar(FX_LPCSTR pString, int size) const
case MixedFourBytes: {
int count = 0, offset = 0;
while (offset < size) {
- GetNextChar(pString, offset);
+ GetNextChar(pString, size, offset);
count ++;
}
return count;
@@ -1317,9 +1317,9 @@ int CPDF_CIDFont::GlyphFromCharCode(FX_DWORD charcode, FX_BOOL *pVertGlyph)
FX_LPCBYTE pdata = m_pCIDToGIDMap->GetData() + byte_pos;
return pdata[0] * 256 + pdata[1];
}
-FX_DWORD CPDF_CIDFont::GetNextChar(FX_LPCSTR pString, int& offset) const
+FX_DWORD CPDF_CIDFont::GetNextChar(FX_LPCSTR pString, int nStrLen, int& offset) const
{
- return m_pCMap->GetNextChar(pString, offset);
+ return m_pCMap->GetNextChar(pString, nStrLen, offset);
}
int CPDF_CIDFont::GetCharSize(FX_DWORD charcode) const
{
diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page.cpp
index 590a01aa6d..ccdfb9fcbb 100644
--- a/core/src/fpdfapi/fpdf_page/fpdf_page.cpp
+++ b/core/src/fpdfapi/fpdf_page/fpdf_page.cpp
@@ -247,7 +247,7 @@ void CPDF_TextObject::SetSegments(const CFX_ByteString* pStrs, FX_FLOAT* pKernin
FX_LPCSTR segment = pStrs[i];
int offset = 0, len = pStrs[i].GetLength();
while (offset < len) {
- m_pCharCodes[index++] = pFont->GetNextChar(segment, offset);
+ m_pCharCodes[index++] = pFont->GetNextChar(segment, len, offset);
}
if (i != nsegs - 1) {
m_pCharPos[index - 1] = pKerning[i];
@@ -256,7 +256,7 @@ void CPDF_TextObject::SetSegments(const CFX_ByteString* pStrs, FX_FLOAT* pKernin
}
} else {
int offset = 0;
- m_pCharCodes = (FX_DWORD*)(FX_UINTPTR)pFont->GetNextChar(pStrs[0], offset);
+ m_pCharCodes = (FX_DWORD*)(FX_UINTPTR)pFont->GetNextChar(pStrs[0], pStrs[0].GetLength(), offset);
}
}
void CPDF_TextObject::SetText(const CFX_ByteString& str)
diff --git a/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp b/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp
index f99f7cec38..0ea7ea1672 100644
--- a/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp
+++ b/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp
@@ -613,7 +613,7 @@ void CPDF_TextRenderer::DrawTextString(CFX_RenderDevice* pDevice, FX_FLOAT origi
FX_DWORD* pCharCodes;
FX_FLOAT* pCharPos;
if (nChars == 1) {
- charcode = pFont->GetNextChar(str, offset);
+ charcode = pFont->GetNextChar(str, str.GetLength(), offset);
pCharCodes = (FX_DWORD*)(FX_UINTPTR)charcode;
pCharPos = NULL;
} else {
@@ -621,7 +621,7 @@ void CPDF_TextRenderer::DrawTextString(CFX_RenderDevice* pDevice, FX_FLOAT origi
pCharPos = FX_Alloc(FX_FLOAT, nChars - 1);
FX_FLOAT cur_pos = 0;
for (int i = 0; i < nChars; i ++) {
- pCharCodes[i] = pFont->GetNextChar(str, offset);
+ pCharCodes[i] = pFont->GetNextChar(str, str.GetLength(), offset);
if (i) {
pCharPos[i - 1] = cur_pos;
}
diff --git a/core/src/fpdftext/fpdf_text.cpp b/core/src/fpdftext/fpdf_text.cpp
index a4a124d5e6..d6d6de9a83 100644
--- a/core/src/fpdftext/fpdf_text.cpp
+++ b/core/src/fpdftext/fpdf_text.cpp
@@ -181,7 +181,7 @@ CTextBaseLine* CTextPage::InsertTextBox(CTextBaseLine* pBaseLine, FX_FLOAT basey
FX_LPCSTR pStr = str;
int len = str.GetLength(), offset = 0;
while (offset < len) {
- FX_DWORD ch = pFont->GetNextChar(pStr, offset);
+ FX_DWORD ch = pFont->GetNextChar(pStr, len, offset);
CFX_WideString unicode_str = pFont->UnicodeFromCharCode(ch);
if (unicode_str.IsEmpty()) {
text += (FX_WCHAR)ch;
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-17 08:14:47 +0000