summaryrefslogtreecommitdiff
path: root/core/src/fpdfapi/fpdf_font
diff options
context:
space:
mode:
authorJUN FANG <jun_fang@foxitsoftware.com>2015-04-11 09:33:23 -0700
committerJUN FANG <jun_fang@foxitsoftware.com>2015-04-11 09:33:23 -0700
commitf265ee5a5f0e96d1a91111f4f27eb2f1edd8835a (patch)
tree61752f617913671b60e9c0cfb2f6c21fb652fc26 /core/src/fpdfapi/fpdf_font
parent9c7b0940569ee5eb1794e8db4e47ecaf3a64315d (diff)
downloadpdfium-f265ee5a5f0e96d1a91111f4f27eb2f1edd8835a.tar.xz
Fix a heap buffer overflow issue in CPDF_CMap::GetNextChar
Add a check to make sure offset is less than the size of string in the function of GetNextChar(). BUG=471651 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1067073003
Diffstat (limited to 'core/src/fpdfapi/fpdf_font')
-rw-r--r--core/src/fpdfapi/fpdf_font/font_int.h4
-rw-r--r--core/src/fpdfapi/fpdf_font/fpdf_font.cpp4
-rw-r--r--core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp10
3 files changed, 9 insertions, 9 deletions
diff --git a/core/src/fpdfapi/fpdf_font/font_int.h b/core/src/fpdfapi/fpdf_font/font_int.h
index 6048ba981d..43f4e302af 100644
--- a/core/src/fpdfapi/fpdf_font/font_int.h
+++ b/core/src/fpdfapi/fpdf_font/font_int.h
@@ -95,8 +95,8 @@ public:
FX_WORD CIDFromCharCode(FX_DWORD charcode) const;
FX_DWORD CharCodeFromCID(FX_WORD CID) const;
int GetCharSize(FX_DWORD charcode) const;
- FX_DWORD GetNextChar(const FX_CHAR* pString, int& offset) const;
- int CountChar(const FX_CHAR* pString, int size) const;
+ FX_DWORD GetNextChar(FX_LPCSTR pString, int nStrLen, int& offset) const;
+ int CountChar(FX_LPCSTR pString, int size) const;
int AppendChar(FX_LPSTR str, FX_DWORD charcode) const;
typedef enum {OneByte, TwoBytes, MixedTwoBytes, MixedFourBytes} CodingScheme;
protected:
diff --git a/core/src/fpdfapi/fpdf_font/fpdf_font.cpp b/core/src/fpdfapi/fpdf_font/fpdf_font.cpp
index dd646ca113..41bb95a89d 100644
--- a/core/src/fpdfapi/fpdf_font/fpdf_font.cpp
+++ b/core/src/fpdfapi/fpdf_font/fpdf_font.cpp
@@ -213,7 +213,7 @@ CFX_WideString CPDF_Font::DecodeString(const CFX_ByteString& str) const
FX_LPCSTR src_buf = str;
int src_pos = 0;
while (src_pos < src_len) {
- FX_DWORD charcode = GetNextChar(src_buf, src_pos);
+ FX_DWORD charcode = GetNextChar(src_buf, src_len, src_pos);
CFX_WideString unicode = UnicodeFromCharCode(charcode);
if (!unicode.IsEmpty()) {
result += unicode;
@@ -379,7 +379,7 @@ int CPDF_Font::GetStringWidth(FX_LPCSTR pString, int size)
int offset = 0;
int width = 0;
while (offset < size) {
- FX_DWORD charcode = GetNextChar(pString, offset);
+ FX_DWORD charcode = GetNextChar(pString, size, offset);
width += GetCharWidthF(charcode);
}
return width;
diff --git a/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp b/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp
index 1ce91f9ed6..0d193e2189 100644
--- a/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp
+++ b/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp
@@ -491,7 +491,7 @@ static int _CheckCodeRange(FX_LPBYTE codes, int size, _CMap_CodeRange* pRanges,
}
return 0;
}
-FX_DWORD CPDF_CMap::GetNextChar(FX_LPCSTR pString, int& offset) const
+FX_DWORD CPDF_CMap::GetNextChar(FX_LPCSTR pString, int nStrLen, int& offset) const
{
switch (m_CodingScheme) {
case OneByte:
@@ -524,7 +524,7 @@ FX_DWORD CPDF_CMap::GetNextChar(FX_LPCSTR pString, int& offset) const
}
return charcode;
}
- if (char_size == 4) {
+ if (char_size == 4 || offset == nStrLen) {
return 0;
}
codes[char_size ++] = ((FX_LPBYTE)pString)[offset++];
@@ -576,7 +576,7 @@ int CPDF_CMap::CountChar(FX_LPCSTR pString, int size) const
case MixedFourBytes: {
int count = 0, offset = 0;
while (offset < size) {
- GetNextChar(pString, offset);
+ GetNextChar(pString, size, offset);
count ++;
}
return count;
@@ -1317,9 +1317,9 @@ int CPDF_CIDFont::GlyphFromCharCode(FX_DWORD charcode, FX_BOOL *pVertGlyph)
FX_LPCBYTE pdata = m_pCIDToGIDMap->GetData() + byte_pos;
return pdata[0] * 256 + pdata[1];
}
-FX_DWORD CPDF_CIDFont::GetNextChar(FX_LPCSTR pString, int& offset) const
+FX_DWORD CPDF_CIDFont::GetNextChar(FX_LPCSTR pString, int nStrLen, int& offset) const
{
- return m_pCMap->GetNextChar(pString, offset);
+ return m_pCMap->GetNextChar(pString, nStrLen, offset);
}
int CPDF_CIDFont::GetCharSize(FX_DWORD charcode) const
{