diff options
author | JUN FANG <jun_fang@foxitsoftware.com> | 2014-07-30 13:46:39 -0700 |
---|---|---|
committer | JUN FANG <jun_fang@foxitsoftware.com> | 2014-07-30 13:46:39 -0700 |
commit | 8dee6cab8f10a257d3b551ede6ca85466bf0bac7 (patch) | |
tree | 418391fde70ddb1e7ee91d2e14e6c3bbf8f29107 /core/src/fxcrt | |
parent | 0d3b5cc6028550205b56a80ccdd81aecf67e4508 (diff) | |
download | pdfium-8dee6cab8f10a257d3b551ede6ca85466bf0bac7.tar.xz |
Fix the potential integer overflow from 'offset+size' in extension.h and fpdfview.cpp
BUG=397258
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/419063002
Diffstat (limited to 'core/src/fxcrt')
-rw-r--r-- | core/src/fxcrt/extension.h | 46 |
1 files changed, 30 insertions, 16 deletions
diff --git a/core/src/fxcrt/extension.h b/core/src/fxcrt/extension.h index b8dce7c97d..d04d1da550 100644 --- a/core/src/fxcrt/extension.h +++ b/core/src/fxcrt/extension.h @@ -7,8 +7,6 @@ #ifndef _FXCRT_EXTENSION_IMP_ #define _FXCRT_EXTENSION_IMP_ -#include "../../../third_party/numerics/safe_math.h" - class IFXCRT_FileAccess { public: @@ -68,9 +66,17 @@ public: } virtual FX_BOOL SetRange(FX_FILESIZE offset, FX_FILESIZE size) { - if (offset < 0 || offset + size > m_pFile->GetSize()) { + if (offset < 0 || size < 0) { + return FALSE; + } + + FX_SAFE_FILESIZE pos = size; + pos += offset; + + if (!pos.IsValid() || pos.ValueOrDie() >= m_pFile->GetSize()) { return FALSE; } + m_nOffset = offset, m_nSize = size; m_bUseRange = TRUE; m_pFile->SetPosition(m_nOffset); @@ -82,13 +88,18 @@ public: } virtual FX_BOOL ReadBlock(void* buffer, FX_FILESIZE offset, size_t size) { + if (m_bUseRange && offset < 0) { + return FALSE; + } + FX_SAFE_FILESIZE pos = offset; + if (m_bUseRange) { - if (offset + size > (size_t)GetSize()) { + pos += m_nOffset; + if (!pos.IsValid() || pos.ValueOrDie() >= (size_t)GetSize()) { return FALSE; } - offset += m_nOffset; } - return (FX_BOOL)m_pFile->ReadPos(buffer, size, offset); + return (FX_BOOL)m_pFile->ReadPos(buffer, size, pos.ValueOrDie()); } virtual size_t ReadBlock(void* buffer, size_t size) { @@ -184,10 +195,12 @@ public: } virtual FX_BOOL SetRange(FX_FILESIZE offset, FX_FILESIZE size) { - base::CheckedNumeric<FX_FILESIZE> range = size; - range += size; - - if (!range.IsValid() || offset <= 0 || size <= 0 || range.ValueOrDie() > m_nCurSize) { + if (offset < 0 || size < 0) { + return FALSE; + } + FX_SAFE_FILESIZE range = size; + range += offset; + if (!range.IsValid() || range.ValueOrDie() >= m_nCurSize) { return FALSE; } @@ -206,7 +219,7 @@ public: return FALSE; } - base::CheckedNumeric<FX_FILESIZE> safeOffset = offset; + FX_SAFE_FILESIZE safeOffset = offset; if (m_bUseRange) { safeOffset += m_nOffset; } @@ -217,9 +230,9 @@ public: offset = safeOffset.ValueOrDie(); - base::CheckedNumeric<size_t> newPos = size; + FX_SAFE_SIZET newPos = size; newPos += offset; - if (!newPos.IsValid() || newPos.ValueOrDefault(0) == 0 || newPos.ValueOrDie() > m_nCurSize) { + if (!newPos.IsValid() || newPos.ValueOrDefault(0) == 0 || newPos.ValueOrDie() >= m_nCurSize) { return FALSE; } @@ -269,7 +282,7 @@ public: offset += (FX_FILESIZE)m_nOffset; } if (m_dwFlags & FX_MEMSTREAM_Consecutive) { - base::CheckedNumeric<size_t> newPos = size; + FX_SAFE_SIZET newPos = size; newPos += offset; if (!newPos.IsValid()) return FALSE; @@ -295,10 +308,11 @@ public: return TRUE; } - base::CheckedNumeric<size_t> newPos = size; + FX_SAFE_SIZET newPos = size; newPos += offset; - if (!newPos.IsValid()) + if (!newPos.IsValid()) { return FALSE; + } if (!ExpandBlocks(newPos.ValueOrDie())) { return FALSE; |