summaryrefslogtreecommitdiff
path: root/core/fxcrt/fx_number.cpp
diff options
context:
space:
mode:
authorTom Sepez <tsepez@chromium.org>2018-09-13 17:41:52 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-09-13 17:41:52 +0000
commita5d7ad3aa8feb08a14b5cca173d673054c1ade23 (patch)
tree259f0c17f5b7a2e09f80948f8b5cc8a04fdb7874 /core/fxcrt/fx_number.cpp
parentaebace3bd14eaf72d43f63d90700cd1b0fa049ca (diff)
downloadpdfium-a5d7ad3aa8feb08a14b5cca173d673054c1ade23.tar.xz
Introduce FX_Number class as a replacement for FX_atonum().
The issue with FX_atonum() is that it doesn't return any information about whether it range-checked its integer values as a signed or unsigned type, even though it knows this as part of its processing. Rather than adding another out parameter to that function, create a class to hold all this information together. This is the first place things went astray while diagnosing bug 882959, in that a large positive value was cast to float as a negative value. Unfortunately, this doesn't affect the related bug, but is a step in the right direction. Change-Id: I0977ec8fccf85e2632a962507bdd30a1cbe6d33c Reviewed-on: https://pdfium-review.googlesource.com/42353 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'core/fxcrt/fx_number.cpp')
-rw-r--r--core/fxcrt/fx_number.cpp104
1 files changed, 104 insertions, 0 deletions
diff --git a/core/fxcrt/fx_number.cpp b/core/fxcrt/fx_number.cpp
new file mode 100644
index 0000000000..68d5bd9b32
--- /dev/null
+++ b/core/fxcrt/fx_number.cpp
@@ -0,0 +1,104 @@
+// Copyright 2018 PDFium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
+
+#include "core/fxcrt/fx_number.h"
+
+#include <limits>
+
+#include "core/fxcrt/fx_extension.h"
+#include "core/fxcrt/fx_string.h"
+
+FX_Number::FX_Number()
+ : m_bInteger(true), m_bSigned(false), m_UnsignedValue(0) {}
+
+FX_Number::FX_Number(uint32_t value)
+ : m_bInteger(true), m_bSigned(false), m_UnsignedValue(value) {}
+
+FX_Number::FX_Number(int32_t value)
+ : m_bInteger(true), m_bSigned(true), m_SignedValue(value) {}
+
+FX_Number::FX_Number(float value)
+ : m_bInteger(false), m_bSigned(true), m_FloatValue(value) {}
+
+FX_Number::FX_Number(const ByteStringView& strc)
+ : m_bInteger(true), m_bSigned(false), m_UnsignedValue(0) {
+ if (strc.IsEmpty())
+ return;
+
+ if (strc.Contains('.')) {
+ m_bInteger = false;
+ m_bSigned = true;
+ m_FloatValue = FX_atof(strc);
+ return;
+ }
+
+ // Note, numbers in PDF are typically of the form 123, -123, etc. But,
+ // for things like the Permissions on the encryption hash the number is
+ // actually an unsigned value. We use a uint32_t so we can deal with the
+ // unsigned and then check for overflow if the user actually signed the value.
+ // The Permissions flag is listed in Table 3.20 PDF 1.7 spec.
+ pdfium::base::CheckedNumeric<uint32_t> unsigned_val = 0;
+ bool bNegative = false;
+ size_t cc = 0;
+ if (strc[0] == '+') {
+ cc++;
+ m_bSigned = true;
+ } else if (strc[0] == '-') {
+ bNegative = true;
+ m_bSigned = true;
+ cc++;
+ }
+
+ while (cc < strc.GetLength() && std::isdigit(strc[cc])) {
+ unsigned_val = unsigned_val * 10 + FXSYS_DecimalCharToInt(strc.CharAt(cc));
+ if (!unsigned_val.IsValid())
+ break;
+ cc++;
+ }
+
+ uint32_t uValue = unsigned_val.ValueOrDefault(0);
+ if (!m_bSigned) {
+ m_UnsignedValue = uValue;
+ return;
+ }
+
+ // We have a sign, so if the value was greater then the signed integer
+ // limits, then we've overflowed and must reset to the default value.
+ constexpr uint32_t uLimit =
+ static_cast<uint32_t>(std::numeric_limits<int>::max());
+
+ if (uValue > (bNegative ? uLimit + 1 : uLimit))
+ uValue = 0;
+
+ // Switch back to the int space so we can flip to a negative if we need.
+ int32_t value = static_cast<int32_t>(uValue);
+ if (bNegative) {
+ // |value| is usually positive, except in the corner case of "-2147483648",
+ // where |uValue| is 2147483648. When it gets casted to an int, |value|
+ // becomes -2147483648. For this case, avoid undefined behavior, because
+ // an int32_t cannot represent 2147483648.
+ static constexpr int kMinInt = std::numeric_limits<int>::min();
+ m_SignedValue = LIKELY(value != kMinInt) ? -value : kMinInt;
+ } else {
+ m_SignedValue = value;
+ }
+}
+
+uint32_t FX_Number::GetUnsigned() const {
+ return m_bInteger ? m_UnsignedValue : static_cast<uint32_t>(m_FloatValue);
+}
+
+int32_t FX_Number::GetSigned() const {
+ return m_bInteger ? m_SignedValue : static_cast<int32_t>(m_FloatValue);
+}
+
+float FX_Number::GetFloat() const {
+ if (!m_bInteger)
+ return m_FloatValue;
+
+ return m_bSigned ? static_cast<float>(m_SignedValue)
+ : static_cast<float>(m_UnsignedValue);
+}