Fix parsing of object numbers > 16,777,216.

Currently, there is a check that an object number is <= 0x1000000. If that
check fails, we end up putting the parser into a bad state and fail to load
documents. The object does not need to be in the XRef table, or referenced
from the document, just be in the document.

This Cl removes the size check and updates the various atoi calls to use a
uint32_t instead of an int32_t so we don't end up getting strange values when
converting from a string.

BUG=455199
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1755273002 .

2 files changed, 103 insertions, 10 deletions

diff --git a/core/src/fxcrt/fx_basic_gcc.cpp b/core/src/fxcrt/fx_basic_gcc.cpp
index d905d6b498..607f095570 100644
--- a/core/src/fxcrt/fx_basic_gcc.cpp
+++ b/core/src/fxcrt/fx_basic_gcc.cpp
@@ -13,20 +13,21 @@
 
 template <class T>
 T FXSYS_StrToInt(const FX_CHAR* str) {
-  FX_BOOL neg = FALSE;
+  bool neg = false;
   if (!str)
     return 0;
 
-  if (*str == '-') {
-    neg = TRUE;
+  if (std::numeric_limits<T>::is_signed && *str == '-') {
+    neg = true;
     str++;
   }
   T num = 0;
   while (*str && std::isdigit(*str)) {
-    if (num > (std::numeric_limits<T>::max() - 9) / 10)
+    T val = FXSYS_toDecimalDigit(*str);
+    if (num > (std::numeric_limits<T>::max() - val) / 10)
       break;
 
-    num = num * 10 + FXSYS_toDecimalDigit(*str);
+    num = num * 10 + val;
     str++;
   }
   return neg ? -num : num;
@@ -34,20 +35,21 @@ T FXSYS_StrToInt(const FX_CHAR* str) {
 
 template <class T>
 T FXSYS_StrToInt(const FX_WCHAR* str) {
-  FX_BOOL neg = FALSE;
+  bool neg = false;
   if (!str)
     return 0;
 
-  if (*str == '-') {
-    neg = TRUE;
+  if (std::numeric_limits<T>::is_signed && *str == '-') {
+    neg = true;
     str++;
   }
   T num = 0;
   while (*str && std::iswdigit(*str)) {
-    if (num > (std::numeric_limits<T>::max() - 9) / 10)
+    T val = FXSYS_toDecimalDigitWide(*str);
+    if (num > (std::numeric_limits<T>::max() - val) / 10)
       break;
 
-    num = num * 10 + FXSYS_toDecimalDigitWide(*str);
+    num = num * 10 + val;
     str++;
   }
   return neg ? -num : num;
@@ -93,6 +95,9 @@ extern "C" {
 int32_t FXSYS_atoi(const FX_CHAR* str) {
   return FXSYS_StrToInt<int32_t>(str);
 }
+uint32_t FXSYS_atoui(const FX_CHAR* str) {
+  return FXSYS_StrToInt<uint32_t>(str);
+}
 int32_t FXSYS_wtoi(const FX_WCHAR* str) {
   return FXSYS_StrToInt<int32_t>(str);
 }
diff --git a/core/src/fxcrt/fx_basic_gcc_unittest.cpp b/core/src/fxcrt/fx_basic_gcc_unittest.cpp
new file mode 100644
index 0000000000..eb1e0669ae
--- /dev/null
+++ b/core/src/fxcrt/fx_basic_gcc_unittest.cpp
@@ -0,0 +1,88 @@
+// Copyright 2016 PDFium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "core/include/fxcrt/fx_system.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+TEST(fxcrt, FXSYS_atoi) {
+  EXPECT_EQ(0, FXSYS_atoi(""));
+  EXPECT_EQ(0, FXSYS_atoi("0"));
+  EXPECT_EQ(-1, FXSYS_atoi("-1"));
+  EXPECT_EQ(2345, FXSYS_atoi("2345"));
+  EXPECT_EQ(2147483647, FXSYS_atoi("2147483647"));
+  EXPECT_EQ(-2147483647, FXSYS_atoi("-2147483647"));
+  EXPECT_EQ(9, FXSYS_atoi("9x9"));
+
+  // TODO(dsinclair): These are all wacky .....
+  EXPECT_EQ(2147483623, FXSYS_atoi("2147483623423412348"));
+  EXPECT_EQ(214748364, FXSYS_atoi("2147483648"));
+  // The digit is parsed as a positive value, so we end up not being able to
+  // handle the largest possible negative value.
+  EXPECT_EQ(-214748364, FXSYS_atoi("-2147483648"));
+}
+
+TEST(fxcrt, FXSYS_atoi64) {
+  EXPECT_EQ(0, FXSYS_atoi64(""));
+  EXPECT_EQ(0, FXSYS_atoi64("0"));
+  EXPECT_EQ(-1, FXSYS_atoi64("-1"));
+  EXPECT_EQ(2345, FXSYS_atoi64("2345"));
+  EXPECT_EQ(9223372036854775807LL, FXSYS_atoi64("9223372036854775807"));
+  EXPECT_EQ(-9223372036854775807LL, FXSYS_atoi64("-9223372036854775807"));
+  EXPECT_EQ(9, FXSYS_atoi64("9x9"));
+
+  // TODO(dsinclair): These are all wacky .....
+  EXPECT_EQ(9223372036854712341LL, FXSYS_atoi64("922337203685471234123475807"));
+  EXPECT_EQ(922337203685477580LL, FXSYS_atoi64("9223372036854775808"));
+  // The digit is parsed as a positive value, so we end up not being able to
+  // handle the largest possible negative value.
+  EXPECT_EQ(-922337203685477580LL, FXSYS_atoi64("-9223372036854775808"));
+}
+
+TEST(fxcrt, FXSYS_wtoi) {
+  EXPECT_EQ(0, FXSYS_wtoi(L""));
+  EXPECT_EQ(0, FXSYS_wtoi(L"0"));
+  EXPECT_EQ(-1, FXSYS_wtoi(L"-1"));
+  EXPECT_EQ(2345, FXSYS_wtoi(L"2345"));
+  EXPECT_EQ(2147483647, FXSYS_wtoi(L"2147483647"));
+  EXPECT_EQ(-2147483647, FXSYS_wtoi(L"-2147483647"));
+  EXPECT_EQ(9, FXSYS_wtoi64(L"9x9"));
+
+  // TODO(dsinclair): These are all wacky .....
+  EXPECT_EQ(2147483623, FXSYS_wtoi(L"2147483623423412348"));
+  EXPECT_EQ(214748364, FXSYS_wtoi(L"2147483648"));
+  // The digit is parsed as a positive value, so we end up not being able to
+  // handle the largest possible negative value.
+  EXPECT_EQ(-214748364, FXSYS_wtoi(L"-2147483648"));
+}
+
+TEST(fxcrt, FXSYS_wtoi64) {
+  EXPECT_EQ(0, FXSYS_wtoi64(L""));
+  EXPECT_EQ(0, FXSYS_wtoi64(L"0"));
+  EXPECT_EQ(-1, FXSYS_wtoi64(L"-1"));
+  EXPECT_EQ(2345, FXSYS_wtoi64(L"2345"));
+  EXPECT_EQ(9223372036854775807LL, FXSYS_wtoi64(L"9223372036854775807"));
+  EXPECT_EQ(-9223372036854775807LL, FXSYS_wtoi64(L"-9223372036854775807"));
+  EXPECT_EQ(9, FXSYS_wtoi64(L"9x9"));
+
+  // TODO(dsinclair): These are all wacky .....
+  EXPECT_EQ(9223372036854712341LL,
+            FXSYS_wtoi64(L"922337203685471234123475807"));
+  EXPECT_EQ(922337203685477580LL, FXSYS_wtoi64(L"9223372036854775808"));
+  // The digit is parsed as a positive value, so we end up not being able to
+  // handle the largest possible negative value.
+  EXPECT_EQ(-922337203685477580LL, FXSYS_wtoi64(L"-9223372036854775808"));
+}
+
+TEST(fxcrt, FXSYS_atoui) {
+  EXPECT_EQ(0, FXSYS_atoui(""));
+  EXPECT_EQ(0, FXSYS_atoui("0"));
+  EXPECT_EQ(0, FXSYS_atoui("-1"));
+  EXPECT_EQ(2345, FXSYS_atoui("2345"));
+  EXPECT_EQ(4294967295, FXSYS_atoui("4294967295"));
+  EXPECT_EQ(9, FXSYS_atoui("9x9"));
+
+  // TODO(dsinclair): These are all wacky .....
+  EXPECT_EQ(2147483623, FXSYS_atoi("2147483623423412348"));
+  EXPECT_EQ(429496729, FXSYS_atoi("4294967296"));
+}