Fix integer overflow in Buffer_itoa when passing INT_MIN.

Bug: chromium:760034 Change-Id: Id0862749b1454e065de4de7d746a27e78ac58e30 Reviewed-on: https://pdfium-review.googlesource.com/12730 Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
author: Henrique Nakashima <hnakashima@chromium.org> 2017-09-01 12:14:26 -0400
committer: Chromium commit bot <commit-bot@chromium.org> 2017-09-01 16:30:01 +0000
commit: dce09b18b48837d8006694b9dc3b2d026e5e7869 (patch)
tree: b5fe9a3a84503e94da73a13559700e290e45f29e
parent: 57cb5447d68c01eddba0618c3a8fe450b180f917 (diff)
download: pdfium-dce09b18b48837d8006694b9dc3b2d026e5e7869.tar.xz
5 files changed, 21 insertions, 34 deletions
diff --git a/core/fpdfapi/parser/cpdf_number.cpp b/core/fpdfapi/parser/cpdf_number.cpp
index 50c48d6cb8..9afe30adca 100644
--- a/core/fpdfapi/parser/cpdf_number.cpp
+++ b/core/fpdfapi/parser/cpdf_number.cpp
@@ -53,7 +53,7 @@ void CPDF_Number::SetString(const CFX_ByteString& str) {
 }
 
 CFX_ByteString CPDF_Number::GetString() const {
-  return m_bInteger ? CFX_ByteString::FormatInteger(m_Integer, FXFORMAT_SIGNED)
+  return m_bInteger ? CFX_ByteString::FormatInteger(m_Integer)
                     : CFX_ByteString::FormatFloat(m_Float);
 }
 
diff --git a/core/fxcrt/cfx_bytestring.cpp b/core/fxcrt/cfx_bytestring.cpp
index a8b65b5c2f..ab7c9aee99 100644
--- a/core/fxcrt/cfx_bytestring.cpp
+++ b/core/fxcrt/cfx_bytestring.cpp
@@ -27,33 +27,6 @@ template struct std::hash<CFX_ByteString>;
 
 namespace {
 
-int Buffer_itoa(char* buf, int i, uint32_t flags) {
-  if (i == 0) {
-    buf[0] = '0';
-    return 1;
-  }
-  char buf1[32];
-  int buf_pos = 31;
-  uint32_t u = i;
-  if ((flags & FXFORMAT_SIGNED) && i < 0) {
-    u = -i;
-  }
-  int base = 10;
-  const char* str = "0123456789abcdef";
-  while (u != 0) {
-    buf1[buf_pos--] = str[u % base];
-    u = u / base;
-  }
-  if ((flags & FXFORMAT_SIGNED) && i < 0) {
-    buf1[buf_pos--] = '-';
-  }
-  int len = 31 - buf_pos;
-  for (int ii = 0; ii < len; ii++) {
-    buf[ii] = buf1[ii + buf_pos + 1];
-  }
-  return len;
-}
-
 const char* FX_strstr(const char* haystack,
                       int haystack_len,
                       const char* needle,
@@ -499,9 +472,10 @@ void CFX_ByteString::AllocCopy(CFX_ByteString& dest,
 #define FORCE_UNICODE 0x20000
 #define FORCE_INT64 0x40000
 
-CFX_ByteString CFX_ByteString::FormatInteger(int i, uint32_t flags) {
+CFX_ByteString CFX_ByteString::FormatInteger(int i) {
   char buf[32];
-  return CFX_ByteString(buf, Buffer_itoa(buf, i, flags));
+  FXSYS_snprintf(buf, 32, "%d", i);
+  return CFX_ByteString(buf);
 }
 
 void CFX_ByteString::FormatV(const char* pFormat, va_list argList) {
diff --git a/core/fxcrt/cfx_bytestring.h b/core/fxcrt/cfx_bytestring.h
index ff43dab3bd..a47b5f89ab 100644
--- a/core/fxcrt/cfx_bytestring.h
+++ b/core/fxcrt/cfx_bytestring.h
@@ -171,9 +171,7 @@ class CFX_ByteString {
 
   uint32_t GetID() const { return AsStringC().GetID(); }
 
-#define FXFORMAT_SIGNED 1
-
-  static CFX_ByteString FormatInteger(int i, uint32_t flags = 0);
+  static CFX_ByteString FormatInteger(int i);
   static CFX_ByteString FormatFloat(float f, int precision = 0);
 
  protected:
diff --git a/core/fxcrt/cfx_bytestring_unittest.cpp b/core/fxcrt/cfx_bytestring_unittest.cpp
index 497e0b6c2f..a590af3b14 100644
--- a/core/fxcrt/cfx_bytestring_unittest.cpp
+++ b/core/fxcrt/cfx_bytestring_unittest.cpp
@@ -1511,3 +1511,18 @@ TEST(fxcrt, OStreamByteStringCOverload) {
     EXPECT_EQ("abcdef", stream.str());
   }
 }
+
+TEST(fxcrt, ByteStringFormatInteger) {
+  // Base case of 0.
+  EXPECT_EQ("0", CFX_ByteString::FormatInteger(0));
+
+  // Positive ordinary number.
+  EXPECT_EQ("123456", CFX_ByteString::FormatInteger(123456));
+
+  // Negative ordinary number.
+  EXPECT_EQ("-123456", CFX_ByteString::FormatInteger(-123456));
+
+  // int limits.
+  EXPECT_EQ("2147483647", CFX_ByteString::FormatInteger(INT_MAX));
+  EXPECT_EQ("-2147483648", CFX_ByteString::FormatInteger(INT_MIN));
+}
diff --git a/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp b/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp
index 73e6c221dc..b68be12b31 100644
--- a/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp
@@ -5790,7 +5790,7 @@ CFX_ByteString CXFA_FM2JSContext::GenerateSomExpression(
 
   if (iIndexFlags == 1 || iIndexValue == 0) {
     return CFX_ByteString(szName, "[") +
-           CFX_ByteString::FormatInteger(iIndexValue, FXFORMAT_SIGNED) + "]";
+           CFX_ByteString::FormatInteger(iIndexValue) + "]";
   }
   CFX_ByteString szSomExp;
   if (iIndexFlags == 2) {
author	Henrique Nakashima <hnakashima@chromium.org>	2017-09-01 12:14:26 -0400
committer	Chromium commit bot <commit-bot@chromium.org>	2017-09-01 16:30:01 +0000
commit	dce09b18b48837d8006694b9dc3b2d026e5e7869 (patch)
tree	b5fe9a3a84503e94da73a13559700e290e45f29e
parent	57cb5447d68c01eddba0618c3a8fe450b180f917 (diff)
download	pdfium-dce09b18b48837d8006694b9dc3b2d026e5e7869.tar.xz