diff options
author | foxit <jun_fang@foxitsoftware.com> | 2014-07-07 13:53:16 -0700 |
---|---|---|
committer | Bo Xu <bo_xu@foxitsoftware.com> | 2014-07-30 17:29:21 -0700 |
commit | 76c1f6a78104134aae73ce373a31340134cc1f77 (patch) | |
tree | d77983917a05d60c3e2b208934e160eed1c1988a /core/include | |
parent | 45ca87cc05e83e2308dd8f068f3c0a5cab1e1fc9 (diff) | |
download | pdfium-76c1f6a78104134aae73ce373a31340134cc1f77.tar.xz |
Integer overflow in fx_basic.h and fx_memory.h
BUG=382656
R=palmer@chromium.org
Review URL: https://codereview.chromium.org/334573007
Diffstat (limited to 'core/include')
-rw-r--r-- | core/include/fxcrt/fx_basic.h | 12 | ||||
-rw-r--r-- | core/include/fxcrt/fx_memory.h | 16 |
2 files changed, 20 insertions, 8 deletions
diff --git a/core/include/fxcrt/fx_basic.h b/core/include/fxcrt/fx_basic.h index 378d6c30a8..bdb1599491 100644 --- a/core/include/fxcrt/fx_basic.h +++ b/core/include/fxcrt/fx_basic.h @@ -6,6 +6,10 @@ #ifndef _FX_BASIC_H_ #define _FX_BASIC_H_ +#ifndef _STDINT_H_ +#define _STDINT_H_ +#include <stdint.h> +#endif #ifndef _FX_SYSTEM_H_ #include "fx_system.h" #endif @@ -18,6 +22,7 @@ #ifndef _FX_STREAM_H_ #include "fx_stream.h" #endif + class CFX_BinaryBuf : public CFX_Object { public: @@ -776,6 +781,9 @@ public: if (data_size > FixedSize) { m_pData = FX_Allocator_Alloc(m_pAllocator, DataType, data_size); } else { + if (FixedSize > SIZE_MAX/sizeof(DataType)) + return; + FXSYS_memset32(m_Data, 0, sizeof(DataType)*FixedSize); } } @@ -788,6 +796,10 @@ public: if (data_size > FixedSize) { m_pData = FX_Allocator_Alloc(m_pAllocator, DataType, data_size); } else { + + if (FixedSize > SIZE_MAX/sizeof(DataType)) + return; + FXSYS_memset32(m_Data, 0, sizeof(DataType)*FixedSize); } } diff --git a/core/include/fxcrt/fx_memory.h b/core/include/fxcrt/fx_memory.h index cf795fa869..1869ccc0e8 100644 --- a/core/include/fxcrt/fx_memory.h +++ b/core/include/fxcrt/fx_memory.h @@ -117,13 +117,13 @@ extern "C" { #endif typedef struct _IFX_Allocator { - void* (*m_AllocDebug)(struct _IFX_Allocator* pAllocator, size_t size, FX_LPCSTR file, int line); + void* (*m_AllocDebug)(struct _IFX_Allocator* pAllocator, size_t num, size_t size, FX_LPCSTR file, int line); - void* (*m_Alloc)(struct _IFX_Allocator* pAllocator, size_t size); + void* (*m_Alloc)(struct _IFX_Allocator* pAllocator, size_t num, size_t size); - void* (*m_ReallocDebug)(struct _IFX_Allocator* pAllocator, void* p, size_t size, FX_LPCSTR file, int line); + void* (*m_ReallocDebug)(struct _IFX_Allocator* pAllocator, void* p, size_t num, size_t size, FX_LPCSTR file, int line); - void* (*m_Realloc)(struct _IFX_Allocator* pAllocator, void* p, size_t size); + void* (*m_Realloc)(struct _IFX_Allocator* pAllocator, void* p, size_t num, size_t size); void (*m_Free)(struct _IFX_Allocator* pAllocator, void* p); } IFX_Allocator; @@ -134,17 +134,17 @@ IFX_Allocator* FXMEM_GetDefAllocator(); #ifdef _DEBUG #define FX_Allocator_Alloc(fxAllocator, type, size) \ - ((fxAllocator) ? (type*)(fxAllocator)->m_AllocDebug((fxAllocator), (size) * sizeof(type), __FILE__, __LINE__) : (FX_Alloc(type, size))) + ((fxAllocator) ? (type*)(fxAllocator)->m_AllocDebug((fxAllocator), (size), sizeof(type), __FILE__, __LINE__) : (FX_Alloc(type, size))) #define FX_Allocator_Realloc(fxAllocator, type, ptr, new_size) \ - ((fxAllocator) ? (type*)(fxAllocator)->m_ReallocDebug((fxAllocator), (ptr), (new_size) * sizeof(type), __FILE__, __LINE__) : (FX_Realloc(type, ptr, new_size))) + ((fxAllocator) ? (type*)(fxAllocator)->m_ReallocDebug((fxAllocator), (ptr), (new_size) , sizeof(type), __FILE__, __LINE__) : (FX_Realloc(type, ptr, new_size))) #else #define FX_Allocator_Alloc(fxAllocator, type, size) \ - ((fxAllocator) ? (type*)(fxAllocator)->m_Alloc((fxAllocator), (size) * sizeof(type)) : (FX_Alloc(type, size))) + ((fxAllocator) ? (type*)(fxAllocator)->m_Alloc((fxAllocator), (size), sizeof(type)) : (FX_Alloc(type, size))) #define FX_Allocator_Realloc(fxAllocator, type, ptr, new_size) \ - ((fxAllocator) ? (type*)(fxAllocator)->m_Realloc((fxAllocator), (ptr), (new_size) * sizeof(type)) : (FX_Realloc(type, ptr, new_size))) + ((fxAllocator) ? (type*)(fxAllocator)->m_Realloc((fxAllocator), (ptr), (new_size), sizeof(type)) : (FX_Realloc(type, ptr, new_size))) #endif #define FX_Allocator_Free(fxAllocator, ptr) \ ((fxAllocator) ? (fxAllocator)->m_Free((fxAllocator), (ptr)) : (FX_Free(ptr))) |