Fixup integer conversion logic.chromium/2813chromium/2812chromium/2811

In bc8a64029f898286c3dcad3a6cecdc98ef30b139 we updated the FX_atonum logic
to correctly handle integer overflow. This causes issues when parsing the
Permissions flag of encrypted documents as that flag isn't encoded like other
numbers.

The Permissions flag is a unsigned value, and has to be treated as such since
the sign bit is always set. The current logic will detect an overflow of the
int value and return 0. The old logic would have detected the overflow and
returned the negative result regardless.

This CL updates the logic to do the string to int conversion as a uint32_t
and then verifies the uint32_t value, if a sign was provided, fits within
the int range, otherwise it converts it to an int and lets it be positive or
negative as needed.

BUG=pdfium:539

Review-Url: https://codereview.chromium.org/2168173002

1 files changed, 37 insertions, 4 deletions

diff --git a/core/fxcrt/fx_basic_util.cpp b/core/fxcrt/fx_basic_util.cpp
index abd84a864f..663ca93e9c 100644
--- a/core/fxcrt/fx_basic_util.cpp
+++ b/core/fxcrt/fx_basic_util.cpp
@@ -16,8 +16,15 @@
 
 #include <algorithm>
 #include <cctype>
+#include <limits>
 #include <memory>
 
+namespace {
+
+const int kDefaultIntValue = 0;
+
+}  // namespace
+
 bool FX_atonum(const CFX_ByteStringC& strc, void* pData) {
   if (strc.Find('.') != -1) {
     FX_FLOAT* pFloat = static_cast<FX_FLOAT*>(pData);
@@ -25,26 +32,52 @@ bool FX_atonum(const CFX_ByteStringC& strc, void* pData) {
     return false;
   }
 
-  int cc = 0;
-  pdfium::base::CheckedNumeric<int> integer = 0;
+  // Note, numbers in PDF are typically of the form 123, -123, etc. But,
+  // for things like the Permissions on the encryption hash the number is
+  // actually an unsigned value. We use a uint32_t so we can deal with the
+  // unsigned and then check for overflow if the user actually signed the value.
+  // The Permissions flag is listed in Table 3.20 PDF 1.7 spec.
+  pdfium::base::CheckedNumeric<uint32_t> integer = 0;
   bool bNegative = false;
+  bool bSigned = false;
+  int cc = 0;
   if (strc[0] == '+') {
     cc++;
+    bSigned = true;
   } else if (strc[0] == '-') {
     bNegative = true;
+    bSigned = true;
     cc++;
   }
+
   while (cc < strc.GetLength() && std::isdigit(strc[cc])) {
     integer = integer * 10 + FXSYS_toDecimalDigit(strc.CharAt(cc));
     if (!integer.IsValid())
       break;
     cc++;
   }
+
+  // We have a sign, and the value was greater then a regular integer
+  // we've overflowed, reset to the default value.
+  if (bSigned) {
+    if (bNegative) {
+      if (integer.ValueOrDefault(kDefaultIntValue) >
+          static_cast<uint32_t>(std::numeric_limits<int>::max()) + 1) {
+        integer = kDefaultIntValue;
+      }
+    } else if (integer.ValueOrDefault(kDefaultIntValue) >
+               static_cast<uint32_t>(std::numeric_limits<int>::max())) {
+      integer = kDefaultIntValue;
+    }
+  }
+
+  // Switch back to the int space so we can flip to a negative if we need.
+  int value = static_cast<int>(integer.ValueOrDefault(kDefaultIntValue));
   if (bNegative)
-    integer = -integer;
+    value = -value;
 
   int* pInt = static_cast<int*>(pData);
-  *pInt = integer.ValueOrDefault(0);
+  *pInt = value;
   return true;
 }