diff options
| author | Tom Sepez <tsepez@chromium.org> | 2018-04-12 14:06:29 +0000 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2018-04-12 14:06:29 +0000 |
| commit | 59a8f48571fc1e1b11f070c54e5d75b8b1c2e9a2 (patch) | |
| tree | 443b15c7a1b376b2802da357b88e93d1c1e65d0d | |
| parent | 7023b8877475dda639a15d623b5a552f88a6812f (diff) | |
| download | pdfium-59a8f48571fc1e1b11f070c54e5d75b8b1c2e9a2.tar.xz | |
Bounds check in CPDF_CMap::GetNextChar.
These were kicked loose when we converted to span<>, and there isn't
any reason to believe that the remaining string is long enough to
complete a multibyte sequence.
Bug: 831100
Change-Id: Iae4363f72b4d7ff088a73994d0fe5dab4077ee9e
Reviewed-on: https://pdfium-review.googlesource.com/30291
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
| -rw-r--r-- | core/fpdfapi/font/cpdf_cmap.cpp | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/core/fpdfapi/font/cpdf_cmap.cpp b/core/fpdfapi/font/cpdf_cmap.cpp index 8e46a75112..d6b4264b6b 100644 --- a/core/fpdfapi/font/cpdf_cmap.cpp +++ b/core/fpdfapi/font/cpdf_cmap.cpp @@ -342,22 +342,24 @@ uint32_t CPDF_CMap::GetNextChar(const ByteStringView& pString, auto pBytes = pString.span(); switch (m_CodingScheme) { case OneByte: { - return pBytes[offset++]; + return offset < pBytes.size() ? pBytes[offset++] : 0; } case TwoBytes: { - uint8_t byte1 = pBytes[offset++]; - return 256 * byte1 + pBytes[offset++]; + uint8_t byte1 = offset < pBytes.size() ? pBytes[offset++] : 0; + uint8_t byte2 = offset < pBytes.size() ? pBytes[offset++] : 0; + return 256 * byte1 + byte2; } case MixedTwoBytes: { - uint8_t byte1 = pBytes[offset++]; + uint8_t byte1 = offset < pBytes.size() ? pBytes[offset++] : 0; if (!m_MixedTwoByteLeadingBytes[byte1]) return byte1; - return 256 * byte1 + pBytes[offset++]; + uint8_t byte2 = offset < pBytes.size() ? pBytes[offset++] : 0; + return 256 * byte1 + byte2; } case MixedFourBytes: { uint8_t codes[4]; int char_size = 1; - codes[0] = pBytes[offset++]; + codes[0] = offset < pBytes.size() ? pBytes[offset++] : 0; while (1) { int ret = CheckFourByteCodeRange(codes, char_size, m_MixedFourByteLeadingRanges); |