diff options
author | Tom Sepez <tsepez@chromium.org> | 2018-09-13 17:41:52 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-09-13 17:41:52 +0000 |
commit | a5d7ad3aa8feb08a14b5cca173d673054c1ade23 (patch) | |
tree | 259f0c17f5b7a2e09f80948f8b5cc8a04fdb7874 /core/fxcrt/fx_number.cpp | |
parent | aebace3bd14eaf72d43f63d90700cd1b0fa049ca (diff) | |
download | pdfium-a5d7ad3aa8feb08a14b5cca173d673054c1ade23.tar.xz |
Introduce FX_Number class as a replacement for FX_atonum().
The issue with FX_atonum() is that it doesn't return any information
about whether it range-checked its integer values as a signed or
unsigned type, even though it knows this as part of its processing.
Rather than adding another out parameter to that function, create
a class to hold all this information together.
This is the first place things went astray while diagnosing
bug 882959, in that a large positive value was cast to float as a
negative value. Unfortunately, this doesn't affect the related bug,
but is a step in the right direction.
Change-Id: I0977ec8fccf85e2632a962507bdd30a1cbe6d33c
Reviewed-on: https://pdfium-review.googlesource.com/42353
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'core/fxcrt/fx_number.cpp')
-rw-r--r-- | core/fxcrt/fx_number.cpp | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/core/fxcrt/fx_number.cpp b/core/fxcrt/fx_number.cpp new file mode 100644 index 0000000000..68d5bd9b32 --- /dev/null +++ b/core/fxcrt/fx_number.cpp @@ -0,0 +1,104 @@ +// Copyright 2018 PDFium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com + +#include "core/fxcrt/fx_number.h" + +#include <limits> + +#include "core/fxcrt/fx_extension.h" +#include "core/fxcrt/fx_string.h" + +FX_Number::FX_Number() + : m_bInteger(true), m_bSigned(false), m_UnsignedValue(0) {} + +FX_Number::FX_Number(uint32_t value) + : m_bInteger(true), m_bSigned(false), m_UnsignedValue(value) {} + +FX_Number::FX_Number(int32_t value) + : m_bInteger(true), m_bSigned(true), m_SignedValue(value) {} + +FX_Number::FX_Number(float value) + : m_bInteger(false), m_bSigned(true), m_FloatValue(value) {} + +FX_Number::FX_Number(const ByteStringView& strc) + : m_bInteger(true), m_bSigned(false), m_UnsignedValue(0) { + if (strc.IsEmpty()) + return; + + if (strc.Contains('.')) { + m_bInteger = false; + m_bSigned = true; + m_FloatValue = FX_atof(strc); + return; + } + + // Note, numbers in PDF are typically of the form 123, -123, etc. But, + // for things like the Permissions on the encryption hash the number is + // actually an unsigned value. We use a uint32_t so we can deal with the + // unsigned and then check for overflow if the user actually signed the value. + // The Permissions flag is listed in Table 3.20 PDF 1.7 spec. + pdfium::base::CheckedNumeric<uint32_t> unsigned_val = 0; + bool bNegative = false; + size_t cc = 0; + if (strc[0] == '+') { + cc++; + m_bSigned = true; + } else if (strc[0] == '-') { + bNegative = true; + m_bSigned = true; + cc++; + } + + while (cc < strc.GetLength() && std::isdigit(strc[cc])) { + unsigned_val = unsigned_val * 10 + FXSYS_DecimalCharToInt(strc.CharAt(cc)); + if (!unsigned_val.IsValid()) + break; + cc++; + } + + uint32_t uValue = unsigned_val.ValueOrDefault(0); + if (!m_bSigned) { + m_UnsignedValue = uValue; + return; + } + + // We have a sign, so if the value was greater then the signed integer + // limits, then we've overflowed and must reset to the default value. + constexpr uint32_t uLimit = + static_cast<uint32_t>(std::numeric_limits<int>::max()); + + if (uValue > (bNegative ? uLimit + 1 : uLimit)) + uValue = 0; + + // Switch back to the int space so we can flip to a negative if we need. + int32_t value = static_cast<int32_t>(uValue); + if (bNegative) { + // |value| is usually positive, except in the corner case of "-2147483648", + // where |uValue| is 2147483648. When it gets casted to an int, |value| + // becomes -2147483648. For this case, avoid undefined behavior, because + // an int32_t cannot represent 2147483648. + static constexpr int kMinInt = std::numeric_limits<int>::min(); + m_SignedValue = LIKELY(value != kMinInt) ? -value : kMinInt; + } else { + m_SignedValue = value; + } +} + +uint32_t FX_Number::GetUnsigned() const { + return m_bInteger ? m_UnsignedValue : static_cast<uint32_t>(m_FloatValue); +} + +int32_t FX_Number::GetSigned() const { + return m_bInteger ? m_SignedValue : static_cast<int32_t>(m_FloatValue); +} + +float FX_Number::GetFloat() const { + if (!m_bInteger) + return m_FloatValue; + + return m_bSigned ? static_cast<float>(m_SignedValue) + : static_cast<float>(m_UnsignedValue); +} |