diff options
author | dsinclair <dsinclair@chromium.org> | 2016-09-21 12:49:36 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-09-21 12:49:36 -0700 |
commit | c0f60dc29db66262bbc0082fcd51170a570b0d1f (patch) | |
tree | 48b53ab54770ab7dc1766d1f94e2b1cfdc386d43 /core/fpdfapi/fpdf_font/fpdf_font_cid.cpp | |
parent | 81d92f8ffc5e632ade8c507b8f2e34c5fe3ca902 (diff) | |
download | pdfium-c0f60dc29db66262bbc0082fcd51170a570b0d1f.tar.xz |
Check for overflow in CMap_GetCode.
Given a large enough value for the character code it's possible to overflow
the conversion to an int. This Cl updates the code to guard against overflow.
BUG=chromium:648739
Review-Url: https://codereview.chromium.org/2358023002
Diffstat (limited to 'core/fpdfapi/fpdf_font/fpdf_font_cid.cpp')
-rw-r--r-- | core/fpdfapi/fpdf_font/fpdf_font_cid.cpp | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/core/fpdfapi/fpdf_font/fpdf_font_cid.cpp b/core/fpdfapi/fpdf_font/fpdf_font_cid.cpp index 3f95ec4a96..96c1ef5753 100644 --- a/core/fpdfapi/fpdf_font/fpdf_font_cid.cpp +++ b/core/fpdfapi/fpdf_font/fpdf_font_cid.cpp @@ -441,16 +441,22 @@ void CPDF_CMapParser::ParseWord(const CFX_ByteStringC& word) { // Static. uint32_t CPDF_CMapParser::CMap_GetCode(const CFX_ByteStringC& word) { - int num = 0; + pdfium::base::CheckedNumeric<uint32_t> num = 0; if (word.GetAt(0) == '<') { - for (int i = 1; i < word.GetLength() && std::isxdigit(word.GetAt(i)); ++i) + for (int i = 1; i < word.GetLength() && std::isxdigit(word.GetAt(i)); ++i) { num = num * 16 + FXSYS_toHexDigit(word.GetAt(i)); - return num; + if (!num.IsValid()) + return 0; + } + return num.ValueOrDie(); } - for (int i = 0; i < word.GetLength() && std::isdigit(word.GetAt(i)); ++i) + for (int i = 0; i < word.GetLength() && std::isdigit(word.GetAt(i)); ++i) { num = num * 10 + FXSYS_toDecimalDigit(static_cast<FX_WCHAR>(word.GetAt(i))); - return num; + if (!num.IsValid()) + return 0; + } + return num.ValueOrDie(); } // Static. |