diff options
| author | John Abd-El-Malek <jam@chromium.org> | 2014-06-04 14:42:19 -0700 |
|---|---|---|
| committer | John Abd-El-Malek <jam@chromium.org> | 2014-06-04 14:42:19 -0700 |
| commit | bb2b1e72929fb78f9d5b64b3732ed9b5cc93af4e (patch) | |
| tree | 90917f85699dbd714cbbad19ad6b23f849b1bfe5 /core/src | |
| parent | 62a7fd6bda145ca3bba0c87102a77e03b5d11037 (diff) | |
| download | pdfium-bb2b1e72929fb78f9d5b64b3732ed9b5cc93af4e.tar.xz | |
Use unsigned type for iteration to avoid int overflow.
If src_len in PDF_DecodeText is larger than 2^31,
2 * max_chars will overflow and the function will produce
an incorrect result.
BUG=none
R=bo_xu@foxitsoftware.com
Review URL: https://codereview.chromium.org/306923006
Diffstat (limited to 'core/src')
| -rw-r--r-- | core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp index 23126365a0..6838f739fa 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp @@ -402,7 +402,7 @@ CFX_WideString PDF_DecodeText(FX_LPCBYTE src_data, FX_DWORD src_len, CFX_CharMap CFX_WideString result; if (src_len >= 2 && ((src_data[0] == 0xfe && src_data[1] == 0xff) || (src_data[0] == 0xff && src_data[1] == 0xfe))) { FX_BOOL bBE = src_data[0] == 0xfe; - int max_chars = (src_len - 2) / 2; + FX_DWORD max_chars = (src_len - 2) / 2; if (!max_chars) { return result; } @@ -412,7 +412,7 @@ CFX_WideString PDF_DecodeText(FX_LPCBYTE src_data, FX_DWORD src_len, CFX_CharMap FX_LPWSTR dest_buf = result.GetBuffer(max_chars); FX_LPCBYTE uni_str = src_data + 2; int dest_pos = 0; - for (int i = 0; i < max_chars * 2; i += 2) { + for (FX_DWORD i = 0; i < max_chars * 2; i += 2) { FX_WORD unicode = bBE ? (uni_str[i] << 8 | uni_str[i + 1]) : (uni_str[i + 1] << 8 | uni_str[i]); if (unicode == 0x1b) { i += 2; |