Change return value of GetAvailInput

This changes the return value from uint32_t to FX_FILESIZE, which is
the type the methods is uses return. The existing code does an
unguarded static cast, so something like -1 could cause a very large
value being returned.

This change has a cascading impact up to the top of the progressive
codec, which now has to handle negative values gracefully.

Change-Id: I813fb71e932dd5da014dbaed0dbf3bb28f8d4e9f
Reviewed-on: https://pdfium-review.googlesource.com/26450
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>

5 files changed, 11 insertions, 6 deletions

diff --git a/core/fxcodec/bmp/cfx_bmpdecompressor.cpp b/core/fxcodec/bmp/cfx_bmpdecompressor.cpp
index 56f11fd4cb..71909d2732 100644
--- a/core/fxcodec/bmp/cfx_bmpdecompressor.cpp
+++ b/core/fxcodec/bmp/cfx_bmpdecompressor.cpp
@@ -649,7 +649,7 @@ void CFX_BmpDecompressor::SetInputBuffer(uint8_t* src_buf, uint32_t src_size) {
       pdfium::MakeRetain<CFX_MemoryStream>(src_buf, src_size, false);
 }
 
-uint32_t CFX_BmpDecompressor::GetAvailInput(uint8_t** avail_buf) {
+FX_FILESIZE CFX_BmpDecompressor::GetAvailInput(uint8_t** avail_buf) {
   if (!input_buffer_)
     return 0;
 
diff --git a/core/fxcodec/bmp/cfx_bmpdecompressor.h b/core/fxcodec/bmp/cfx_bmpdecompressor.h
index eece78c7ca..152a2bd0ee 100644
--- a/core/fxcodec/bmp/cfx_bmpdecompressor.h
+++ b/core/fxcodec/bmp/cfx_bmpdecompressor.h
@@ -25,7 +25,7 @@ class CFX_BmpDecompressor {
   int32_t DecodeImage();
   int32_t ReadHeader();
   void SetInputBuffer(uint8_t* src_buf, uint32_t src_size);
-  uint32_t GetAvailInput(uint8_t** avail_buf);
+  FX_FILESIZE GetAvailInput(uint8_t** avail_buf);
 
   jmp_buf jmpbuf_;
 
diff --git a/core/fxcodec/codec/ccodec_bmpmodule.cpp b/core/fxcodec/codec/ccodec_bmpmodule.cpp
index e41b3dfd60..eb9bdf84f5 100644
--- a/core/fxcodec/codec/ccodec_bmpmodule.cpp
+++ b/core/fxcodec/codec/ccodec_bmpmodule.cpp
@@ -63,8 +63,8 @@ int32_t CCodec_BmpModule::LoadImage(Context* pContext) {
   return ctx->m_Bmp.DecodeImage();
 }
 
-uint32_t CCodec_BmpModule::GetAvailInput(Context* pContext,
-                                         uint8_t** avail_buf_ptr) {
+FX_FILESIZE CCodec_BmpModule::GetAvailInput(Context* pContext,
+                                            uint8_t** avail_buf_ptr) {
   auto* ctx = static_cast<CFX_BmpContext*>(pContext);
   return ctx->m_Bmp.GetAvailInput(avail_buf_ptr);
 }
diff --git a/core/fxcodec/codec/ccodec_bmpmodule.h b/core/fxcodec/codec/ccodec_bmpmodule.h
index 8a33f66eac..9eef8867c6 100644
--- a/core/fxcodec/codec/ccodec_bmpmodule.h
+++ b/core/fxcodec/codec/ccodec_bmpmodule.h
@@ -33,7 +33,7 @@ class CCodec_BmpModule {
   ~CCodec_BmpModule();
 
   std::unique_ptr<Context> Start(Delegate* pDelegate);
-  uint32_t GetAvailInput(Context* pContext, uint8_t** avail_buf_ptr);
+  FX_FILESIZE GetAvailInput(Context* pContext, uint8_t** avail_buf_ptr);
   void Input(Context* pContext, const uint8_t* src_buf, uint32_t src_size);
   int32_t ReadHeader(Context* pContext,
                      int32_t* width,
diff --git a/core/fxcodec/codec/fx_codec_progress.cpp b/core/fxcodec/codec/fx_codec_progress.cpp
index 82b0168f6e..7e29524b2f 100644
--- a/core/fxcodec/codec/fx_codec_progress.cpp
+++ b/core/fxcodec/codec/fx_codec_progress.cpp
@@ -836,7 +836,12 @@ bool CCodec_ProgressiveDecoder::BmpReadMoreData(CCodec_BmpModule* pBmpModule,
     return false;
 
   dwSize = dwSize - m_offSet;
-  uint32_t dwAvail = pBmpModule->GetAvailInput(m_pBmpContext.get(), nullptr);
+  FX_SAFE_UINT32 avail_input =
+      pBmpModule->GetAvailInput(m_pBmpContext.get(), nullptr);
+  if (!avail_input.IsValid())
+    return false;
+
+  uint32_t dwAvail = avail_input.ValueOrDie();
   if (dwAvail == m_SrcSize) {
     if (dwSize > FXCODEC_BLOCK_SIZE) {
       dwSize = FXCODEC_BLOCK_SIZE;