Fix integer overflow in Buffer_itoa when passing INT_MIN.

Bug: chromium:760034
Change-Id: Id0862749b1454e065de4de7d746a27e78ac58e30
Reviewed-on: https://pdfium-review.googlesource.com/12730
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

4 files changed, 20 insertions, 33 deletions

diff --git a/core/fpdfapi/parser/cpdf_number.cpp b/core/fpdfapi/parser/cpdf_number.cpp
index 50c48d6cb8..9afe30adca 100644
--- a/core/fpdfapi/parser/cpdf_number.cpp
+++ b/core/fpdfapi/parser/cpdf_number.cpp
@@ -53,7 +53,7 @@ void CPDF_Number::SetString(const CFX_ByteString& str) {
 }
 
 CFX_ByteString CPDF_Number::GetString() const {
-  return m_bInteger ? CFX_ByteString::FormatInteger(m_Integer, FXFORMAT_SIGNED)
+  return m_bInteger ? CFX_ByteString::FormatInteger(m_Integer)
                     : CFX_ByteString::FormatFloat(m_Float);
 }
 
diff --git a/core/fxcrt/cfx_bytestring.cpp b/core/fxcrt/cfx_bytestring.cpp
index a8b65b5c2f..ab7c9aee99 100644
--- a/core/fxcrt/cfx_bytestring.cpp
+++ b/core/fxcrt/cfx_bytestring.cpp
@@ -27,33 +27,6 @@ template struct std::hash<CFX_ByteString>;
 
 namespace {
 
-int Buffer_itoa(char* buf, int i, uint32_t flags) {
-  if (i == 0) {
-    buf[0] = '0';
-    return 1;
-  }
-  char buf1[32];
-  int buf_pos = 31;
-  uint32_t u = i;
-  if ((flags & FXFORMAT_SIGNED) && i < 0) {
-    u = -i;
-  }
-  int base = 10;
-  const char* str = "0123456789abcdef";
-  while (u != 0) {
-    buf1[buf_pos--] = str[u % base];
-    u = u / base;
-  }
-  if ((flags & FXFORMAT_SIGNED) && i < 0) {
-    buf1[buf_pos--] = '-';
-  }
-  int len = 31 - buf_pos;
-  for (int ii = 0; ii < len; ii++) {
-    buf[ii] = buf1[ii + buf_pos + 1];
-  }
-  return len;
-}
-
 const char* FX_strstr(const char* haystack,
                       int haystack_len,
                       const char* needle,
@@ -499,9 +472,10 @@ void CFX_ByteString::AllocCopy(CFX_ByteString& dest,
 #define FORCE_UNICODE 0x20000
 #define FORCE_INT64 0x40000
 
-CFX_ByteString CFX_ByteString::FormatInteger(int i, uint32_t flags) {
+CFX_ByteString CFX_ByteString::FormatInteger(int i) {
   char buf[32];
-  return CFX_ByteString(buf, Buffer_itoa(buf, i, flags));
+  FXSYS_snprintf(buf, 32, "%d", i);
+  return CFX_ByteString(buf);
 }
 
 void CFX_ByteString::FormatV(const char* pFormat, va_list argList) {
diff --git a/core/fxcrt/cfx_bytestring.h b/core/fxcrt/cfx_bytestring.h
index ff43dab3bd..a47b5f89ab 100644
--- a/core/fxcrt/cfx_bytestring.h
+++ b/core/fxcrt/cfx_bytestring.h
@@ -171,9 +171,7 @@ class CFX_ByteString {
 
   uint32_t GetID() const { return AsStringC().GetID(); }
 
-#define FXFORMAT_SIGNED 1
-
-  static CFX_ByteString FormatInteger(int i, uint32_t flags = 0);
+  static CFX_ByteString FormatInteger(int i);
   static CFX_ByteString FormatFloat(float f, int precision = 0);
 
  protected:
diff --git a/core/fxcrt/cfx_bytestring_unittest.cpp b/core/fxcrt/cfx_bytestring_unittest.cpp
index 497e0b6c2f..a590af3b14 100644
--- a/core/fxcrt/cfx_bytestring_unittest.cpp
+++ b/core/fxcrt/cfx_bytestring_unittest.cpp
@@ -1511,3 +1511,18 @@ TEST(fxcrt, OStreamByteStringCOverload) {
     EXPECT_EQ("abcdef", stream.str());
   }
 }
+
+TEST(fxcrt, ByteStringFormatInteger) {
+  // Base case of 0.
+  EXPECT_EQ("0", CFX_ByteString::FormatInteger(0));
+
+  // Positive ordinary number.
+  EXPECT_EQ("123456", CFX_ByteString::FormatInteger(123456));
+
+  // Negative ordinary number.
+  EXPECT_EQ("-123456", CFX_ByteString::FormatInteger(-123456));
+
+  // int limits.
+  EXPECT_EQ("2147483647", CFX_ByteString::FormatInteger(INT_MAX));
+  EXPECT_EQ("-2147483648", CFX_ByteString::FormatInteger(INT_MIN));
+}