summaryrefslogtreecommitdiff
path: root/core/src/fpdfapi/fpdf_font
diff options
context:
space:
mode:
authorTom Sepez <tsepez@chromium.org>2015-05-18 14:18:08 -0700
committerTom Sepez <tsepez@chromium.org>2015-05-18 14:18:08 -0700
commit31b3a2b31a50f83ed100e01485013fd871399f45 (patch)
treeaeece5130880a698b56eec044d73925e7e5ae7f3 /core/src/fpdfapi/fpdf_font
parenta88e3a16ae711f6523ad3a40a08d774b72adc9eb (diff)
downloadpdfium-31b3a2b31a50f83ed100e01485013fd871399f45.tar.xz
Add safe FX_Alloc2D() macro
This avoids unchecked multiplications when computing a size argument to malloc(). Such an overflow is very scary, and can result in exploitable bugs. Along the way, kill off some return checks, since we know this can't return NULL. R=thestig@chromium.org Review URL: https://codereview.chromium.org/1143663004
Diffstat (limited to 'core/src/fpdfapi/fpdf_font')
-rw-r--r--core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp2
1 files changed, 1 insertions, 1 deletions
diff --git a/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp b/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp
index 6911942c0e..a08660c52f 100644
--- a/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp
+++ b/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp
@@ -254,7 +254,7 @@ void CPDF_CMapParser::ParseWord(FX_BSTR word)
if (nSegs > 1) {
m_pCMap->m_CodingScheme = CPDF_CMap::MixedFourBytes;
m_pCMap->m_nCodeRanges = nSegs;
- m_pCMap->m_pLeadingBytes = FX_Alloc(FX_BYTE, nSegs * sizeof(_CMap_CodeRange));
+ m_pCMap->m_pLeadingBytes = FX_Alloc2D(FX_BYTE, nSegs, sizeof(_CMap_CodeRange));
FXSYS_memcpy32(m_pCMap->m_pLeadingBytes, m_CodeRanges.GetData(), nSegs * sizeof(_CMap_CodeRange));
} else if (nSegs == 1) {
m_pCMap->m_CodingScheme = (m_CodeRanges[0].m_CharSize == 2) ? CPDF_CMap::TwoBytes : CPDF_CMap::OneByte;