diff options
author | Tom Sepez <tsepez@chromium.org> | 2015-05-18 14:18:08 -0700 |
---|---|---|
committer | Tom Sepez <tsepez@chromium.org> | 2015-05-18 14:18:08 -0700 |
commit | 31b3a2b31a50f83ed100e01485013fd871399f45 (patch) | |
tree | aeece5130880a698b56eec044d73925e7e5ae7f3 /core/src/fpdfapi | |
parent | a88e3a16ae711f6523ad3a40a08d774b72adc9eb (diff) | |
download | pdfium-31b3a2b31a50f83ed100e01485013fd871399f45.tar.xz |
Add safe FX_Alloc2D() macro
This avoids unchecked multiplications when computing a size argument
to malloc(). Such an overflow is very scary, and can result in
exploitable bugs.
Along the way, kill off some return checks, since we know this can't
return NULL.
R=thestig@chromium.org
Review URL: https://codereview.chromium.org/1143663004
Diffstat (limited to 'core/src/fpdfapi')
-rw-r--r-- | core/src/fpdfapi/fpdf_edit/fpdf_edit_image.cpp | 2 | ||||
-rw-r--r-- | core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp | 2 | ||||
-rw-r--r-- | core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp | 8 | ||||
-rw-r--r-- | core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp | 10 | ||||
-rw-r--r-- | core/src/fpdfapi/fpdf_parser/fpdf_parser_filters.cpp | 2 | ||||
-rw-r--r-- | core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp | 2 | ||||
-rw-r--r-- | core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp | 2 |
7 files changed, 14 insertions, 14 deletions
diff --git a/core/src/fpdfapi/fpdf_edit/fpdf_edit_image.cpp b/core/src/fpdfapi/fpdf_edit/fpdf_edit_image.cpp index 3a3756de5d..1328fcdf96 100644 --- a/core/src/fpdfapi/fpdf_edit/fpdf_edit_image.cpp +++ b/core/src/fpdfapi/fpdf_edit/fpdf_edit_image.cpp @@ -162,7 +162,7 @@ void CPDF_Image::SetImage(const CFX_DIBitmap* pBitmap, FX_INT32 iCompress, IFX_F pCS->AddName(FX_BSTRC("Indexed")); pCS->AddName(FX_BSTRC("DeviceRGB")); pCS->AddInteger(iPalette - 1); - FX_LPBYTE pColorTable = FX_Alloc(FX_BYTE, iPalette * 3); + FX_LPBYTE pColorTable = FX_Alloc2D(FX_BYTE, iPalette, 3); FX_LPBYTE ptr = pColorTable; for (FX_INT32 i = 0; i < iPalette; i ++) { FX_DWORD argb = pBitmap->GetPaletteArgb(i); diff --git a/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp b/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp index 6911942c0e..a08660c52f 100644 --- a/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp +++ b/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp @@ -254,7 +254,7 @@ void CPDF_CMapParser::ParseWord(FX_BSTR word) if (nSegs > 1) { m_pCMap->m_CodingScheme = CPDF_CMap::MixedFourBytes; m_pCMap->m_nCodeRanges = nSegs; - m_pCMap->m_pLeadingBytes = FX_Alloc(FX_BYTE, nSegs * sizeof(_CMap_CodeRange)); + m_pCMap->m_pLeadingBytes = FX_Alloc2D(FX_BYTE, nSegs, sizeof(_CMap_CodeRange)); FXSYS_memcpy32(m_pCMap->m_pLeadingBytes, m_CodeRanges.GetData(), nSegs * sizeof(_CMap_CodeRange)); } else if (nSegs == 1) { m_pCMap->m_CodingScheme = (m_CodeRanges[0].m_CharSize == 2) ? CPDF_CMap::TwoBytes : CPDF_CMap::OneByte; diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp index b6bf7950ff..8b9ff8ea96 100644 --- a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp +++ b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp @@ -643,7 +643,7 @@ FX_BOOL CPDF_ICCBasedCS::v_Load(CPDF_Document* pDoc, CPDF_Array* pArray) } } CPDF_Array* pRanges = pDict->GetArray(FX_BSTRC("Range")); - m_pRanges = FX_Alloc(FX_FLOAT, m_nComponents * 2); + m_pRanges = FX_Alloc2D(FX_FLOAT, m_nComponents, 2); for (int i = 0; i < m_nComponents * 2; i ++) { if (pRanges) { m_pRanges[i] = pRanges->GetNumber(i); @@ -715,8 +715,8 @@ void CPDF_ICCBasedCS::TranslateImageLine(FX_LPBYTE pDestBuf, FX_LPCBYTE pSrcBuf, CPDF_ModuleMgr::Get()->GetIccModule()->TranslateScanline(m_pProfile->m_pTransform, pDestBuf, pSrcBuf, pixels); } else { if (m_pCache == NULL) { - ((CPDF_ICCBasedCS*)this)->m_pCache = FX_Alloc(FX_BYTE, nMaxColors * 3); - FX_LPBYTE temp_src = FX_Alloc(FX_BYTE, nMaxColors * m_nComponents); + ((CPDF_ICCBasedCS*)this)->m_pCache = FX_Alloc2D(FX_BYTE, nMaxColors, 3); + FX_LPBYTE temp_src = FX_Alloc2D(FX_BYTE, nMaxColors, m_nComponents); FX_LPBYTE pSrc = temp_src; for (int i = 0; i < nMaxColors; i ++) { FX_DWORD color = i; @@ -804,7 +804,7 @@ FX_BOOL CPDF_IndexedCS::v_Load(CPDF_Document* pDoc, CPDF_Array* pArray) } m_pCountedBaseCS = pDocPageData->FindColorSpacePtr(m_pBaseCS->GetArray()); m_nBaseComponents = m_pBaseCS->CountComponents(); - m_pCompMinMax = FX_Alloc(FX_FLOAT, m_nBaseComponents * 2); + m_pCompMinMax = FX_Alloc2D(FX_FLOAT, m_nBaseComponents, 2); FX_FLOAT defvalue; for (int i = 0; i < m_nBaseComponents; i ++) { m_pBaseCS->GetDefaultValue(i, defvalue, m_pCompMinMax[i * 2], m_pCompMinMax[i * 2 + 1]); diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp index bd1cdb6434..8ec490a9e8 100644 --- a/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp +++ b/core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp @@ -670,8 +670,8 @@ FX_BOOL CPDF_ExpIntFunc::v_Init(CPDF_Object* pObj) } } CPDF_Array* pArray1 = pDict->GetArray(FX_BSTRC("C1")); - m_pBeginValues = FX_Alloc(FX_FLOAT, m_nOutputs * 2); - m_pEndValues = FX_Alloc(FX_FLOAT, m_nOutputs * 2); + m_pBeginValues = FX_Alloc2D(FX_FLOAT, m_nOutputs, 2); + m_pEndValues = FX_Alloc2D(FX_FLOAT, m_nOutputs, 2); for (int i = 0; i < m_nOutputs; i ++) { m_pBeginValues[i] = pArray0 ? pArray0->GetFloat(i) : 0.0f; m_pEndValues[i] = pArray1 ? pArray1->GetFloat(i) : 1.0f; @@ -768,7 +768,7 @@ FX_BOOL CPDF_StitchFunc::v_Init(CPDF_Object* pObj) m_pBounds[i + 1] = pArray->GetFloat(i); } m_pBounds[m_nSubs] = m_pDomains[1]; - m_pEncode = FX_Alloc(FX_FLOAT, m_nSubs * 2); + m_pEncode = FX_Alloc2D(FX_FLOAT, m_nSubs, 2); pArray = pDict->GetArray(FX_BSTRC("Encode")); if (pArray == NULL) { return FALSE; @@ -857,7 +857,7 @@ FX_BOOL CPDF_Function::Init(CPDF_Object* pObj) if (m_nInputs == 0) { return FALSE; } - m_pDomains = FX_Alloc(FX_FLOAT, m_nInputs * 2); + m_pDomains = FX_Alloc2D(FX_FLOAT, m_nInputs, 2); for (int i = 0; i < m_nInputs * 2; i ++) { m_pDomains[i] = pDomains->GetFloat(i); } @@ -865,7 +865,7 @@ FX_BOOL CPDF_Function::Init(CPDF_Object* pObj) m_nOutputs = 0; if (pRanges) { m_nOutputs = pRanges->GetCount() / 2; - m_pRanges = FX_Alloc(FX_FLOAT, m_nOutputs * 2); + m_pRanges = FX_Alloc2D(FX_FLOAT, m_nOutputs, 2); for (int i = 0; i < m_nOutputs * 2; i ++) { m_pRanges[i] = pRanges->GetFloat(i); } diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_filters.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_filters.cpp index ac3f2b29d7..6fa7419a41 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_filters.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_filters.cpp @@ -296,7 +296,7 @@ void CPDF_DecryptFilter::v_FilterFinish(CFX_BinaryBuf& dest_buf) extern "C" { static void* my_alloc_func (void* opaque, unsigned int items, unsigned int size) { - return FX_Alloc(FX_BYTE, items * size); + return FX_Alloc2D(FX_BYTE, items, size); } static void my_free_func (void* opaque, void* address) { diff --git a/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp b/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp index 658fc47266..83d5f0a4c1 100644 --- a/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp +++ b/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp @@ -43,7 +43,7 @@ void CPDF_PageRenderCache::CacheOptimization(FX_INT32 dwLimitCacheSize) return; } int nCount = m_ImageCaches.GetCount(); - CACHEINFO* pCACHEINFO = (CACHEINFO*)FX_Alloc(FX_BYTE, (sizeof (CACHEINFO)) * nCount); + CACHEINFO* pCACHEINFO = (CACHEINFO*)FX_Alloc2D(FX_BYTE, sizeof(CACHEINFO), nCount); FX_POSITION pos = m_ImageCaches.GetStartPosition(); int i = 0; while (pos) { diff --git a/core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp b/core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp index 2d7e1aeb93..f9eec23f7a 100644 --- a/core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp +++ b/core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp @@ -422,7 +422,7 @@ static void _DrawLatticeGouraudShading(CFX_DIBitmap* pBitmap, CFX_AffineMatrix* if (!stream.Load(pShadingStream, pFuncs, nFuncs, pCS)) { return; } - CPDF_MeshVertex* vertex = FX_Alloc(CPDF_MeshVertex, row_verts * 2); + CPDF_MeshVertex* vertex = FX_Alloc2D(CPDF_MeshVertex, row_verts, 2); if (!stream.GetVertexRow(vertex, row_verts, pObject2Bitmap)) { FX_Free(vertex); return; |