Use safe arithmentic in CFX_BinaryBuf::ExpandBuf.

Always call ExpandBuf(), and if it returns, we know the
subsequent calculations won't overflow.

Also use std::unique_ptr, and fix unintentional copies thus
detected by its suppressed copy ctor in fsdk_baseform.cpp

Also Remove unused CFX_BinaryBuf::TakeOver(), AppendFill(), CopyData().

Also remove operator= in favor of using <<, for similarity
with std::ostream and friends.

Also move ByteStringC methods to CFX_ByteTextBuf sub-class.

Also re-order members, may pack tighter on 64-bits.

R=thestig@chromium.org

Review URL: https://codereview.chromium.org/1710403002 .

2 files changed, 42 insertions, 69 deletions

diff --git a/core/include/fxcrt/fx_basic.h b/core/include/fxcrt/fx_basic.h
index 7f47122dea..4402856996 100644
--- a/core/include/fxcrt/fx_basic.h
+++ b/core/include/fxcrt/fx_basic.h
@@ -8,6 +8,7 @@
 #define CORE_INCLUDE_FXCRT_FX_BASIC_H_
 
 #include <algorithm>
+#include <memory>
 
 #include "core/include/fxcrt/fx_memory.h"
 #include "core/include/fxcrt/fx_stream.h"
@@ -29,109 +30,90 @@
 template <typename T, size_t N>
 char(&ArraySizeHelper(T(&array)[N]))[N];
 
+// Used with std::unique_ptr to FX_Free raw memory.
+struct FxFreeDeleter {
+  inline void operator()(void* ptr) const { FX_Free(ptr); }
+};
+
+// Used with std::unique_ptr to Release() objects that can't be deleted.
+template <class T>
+struct ReleaseDeleter {
+  inline void operator()(T* ptr) const { ptr->Release(); }
+};
+
 class CFX_BinaryBuf {
  public:
   CFX_BinaryBuf();
-  CFX_BinaryBuf(FX_STRSIZE size);
+  explicit CFX_BinaryBuf(FX_STRSIZE size);
 
-  ~CFX_BinaryBuf();
+  uint8_t* GetBuffer() const { return m_pBuffer.get(); }
+  FX_STRSIZE GetSize() const { return m_DataSize; }
 
   void Clear();
-
   void EstimateSize(FX_STRSIZE size, FX_STRSIZE alloc_step = 0);
-
   void AppendBlock(const void* pBuf, FX_STRSIZE size);
-
-  void AppendFill(uint8_t byte, FX_STRSIZE count);
-
   void AppendString(const CFX_ByteStringC& str) {
     AppendBlock(str.GetPtr(), str.GetLength());
   }
 
-  inline void AppendByte(uint8_t byte) {
-    if (m_AllocSize <= m_DataSize) {
-      ExpandBuf(1);
-    }
-    m_pBuffer[m_DataSize++] = byte;
+  void AppendByte(uint8_t byte) {
+    ExpandBuf(1);
+    m_pBuffer.get()[m_DataSize++] = byte;
   }
 
   void InsertBlock(FX_STRSIZE pos, const void* pBuf, FX_STRSIZE size);
-
-  void AttachData(void* pBuf, FX_STRSIZE size);
-
-  void CopyData(const void* pBuf, FX_STRSIZE size);
-
-  void TakeOver(CFX_BinaryBuf& other);
-
   void Delete(int start_index, int count);
 
-  uint8_t* GetBuffer() const { return m_pBuffer; }
+  // Takes ownership of |pBuf|.
+  void AttachData(uint8_t* pBuf, FX_STRSIZE size);
 
-  FX_STRSIZE GetSize() const { return m_DataSize; }
-
-  CFX_ByteStringC GetByteString() const;
-
-  void DetachBuffer();
+  // Releases ownership of |m_pBuffer| and returns it.
+  uint8_t* DetachBuffer();
 
  protected:
-  FX_STRSIZE m_AllocStep;
-
-  uint8_t* m_pBuffer;
-
-  FX_STRSIZE m_DataSize;
+  void ExpandBuf(FX_STRSIZE size);
 
+  FX_STRSIZE m_AllocStep;
   FX_STRSIZE m_AllocSize;
-
-  void ExpandBuf(FX_STRSIZE size);
+  FX_STRSIZE m_DataSize;
+  std::unique_ptr<uint8_t, FxFreeDeleter> m_pBuffer;
 };
+
 class CFX_ByteTextBuf : public CFX_BinaryBuf {
  public:
-  void operator=(const CFX_ByteStringC& str);
-
   void AppendChar(int ch) { AppendByte((uint8_t)ch); }
+  FX_STRSIZE GetLength() const { return m_DataSize; }
+  CFX_ByteStringC GetByteString() const;
 
   CFX_ByteTextBuf& operator<<(int i);
-
   CFX_ByteTextBuf& operator<<(FX_DWORD i);
-
   CFX_ByteTextBuf& operator<<(double f);
-
   CFX_ByteTextBuf& operator<<(const CFX_ByteStringC& lpsz);
-
   CFX_ByteTextBuf& operator<<(const CFX_ByteTextBuf& buf);
-
-  FX_STRSIZE GetLength() const { return m_DataSize; }
 };
+
 class CFX_WideTextBuf : public CFX_BinaryBuf {
  public:
-  void operator=(const FX_WCHAR* lpsz);
-
-  void operator=(const CFX_WideStringC& str);
-
   void AppendChar(FX_WCHAR wch);
-
-  CFX_WideTextBuf& operator<<(int i);
-
-  CFX_WideTextBuf& operator<<(double f);
-
-  CFX_WideTextBuf& operator<<(const FX_WCHAR* lpsz);
-
-  CFX_WideTextBuf& operator<<(const CFX_WideStringC& str);
-  CFX_WideTextBuf& operator<<(const CFX_WideString& str);
-
-  CFX_WideTextBuf& operator<<(const CFX_WideTextBuf& buf);
-
   FX_STRSIZE GetLength() const { return m_DataSize / sizeof(FX_WCHAR); }
-
-  FX_WCHAR* GetBuffer() const { return (FX_WCHAR*)m_pBuffer; }
+  FX_WCHAR* GetBuffer() const {
+    return reinterpret_cast<FX_WCHAR*>(m_pBuffer.get());
+  }
+  CFX_WideStringC GetWideString() const;
 
   void Delete(int start_index, int count) {
     CFX_BinaryBuf::Delete(start_index * sizeof(FX_WCHAR),
                           count * sizeof(FX_WCHAR));
   }
 
-  CFX_WideStringC GetWideString() const;
+  CFX_WideTextBuf& operator<<(int i);
+  CFX_WideTextBuf& operator<<(double f);
+  CFX_WideTextBuf& operator<<(const FX_WCHAR* lpsz);
+  CFX_WideTextBuf& operator<<(const CFX_WideStringC& str);
+  CFX_WideTextBuf& operator<<(const CFX_WideString& str);
+  CFX_WideTextBuf& operator<<(const CFX_WideTextBuf& buf);
 };
+
 #ifdef PDF_ENABLE_XFA
 class CFX_ArchiveSaver {
  public:
@@ -1031,16 +1013,6 @@ class CFX_AutoRestorer {
   const T m_OldValue;
 };
 
-struct FxFreeDeleter {
-  inline void operator()(void* ptr) const { FX_Free(ptr); }
-};
-
-// Used with std::unique_ptr to Release() objects that can't be deleted.
-template <class T>
-struct ReleaseDeleter {
-  inline void operator()(T* ptr) const { ptr->Release(); }
-};
-
 #define FX_DATALIST_LENGTH 1024
 template <size_t unit>
 class CFX_SortListArray {
diff --git a/core/include/fxcrt/fx_safe_types.h b/core/include/fxcrt/fx_safe_types.h
index aec1ca7e96..6ae3ee1054 100644
--- a/core/include/fxcrt/fx_safe_types.h
+++ b/core/include/fxcrt/fx_safe_types.h
@@ -15,5 +15,6 @@ typedef pdfium::base::CheckedNumeric<FX_DWORD> FX_SAFE_DWORD;
 typedef pdfium::base::CheckedNumeric<int32_t> FX_SAFE_INT32;
 typedef pdfium::base::CheckedNumeric<size_t> FX_SAFE_SIZE_T;
 typedef pdfium::base::CheckedNumeric<FX_FILESIZE> FX_SAFE_FILESIZE;
+typedef pdfium::base::CheckedNumeric<FX_STRSIZE> FX_SAFE_STRSIZE;
 
 #endif  // CORE_INCLUDE_FXCRT_FX_SAFE_TYPES_H_