summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorTom Sepez <tsepez@chromium.org>2018-04-12 14:06:29 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-04-12 14:06:29 +0000
commit59a8f48571fc1e1b11f070c54e5d75b8b1c2e9a2 (patch)
tree443b15c7a1b376b2802da357b88e93d1c1e65d0d /core
parent7023b8877475dda639a15d623b5a552f88a6812f (diff)
downloadpdfium-59a8f48571fc1e1b11f070c54e5d75b8b1c2e9a2.tar.xz
Bounds check in CPDF_CMap::GetNextChar.
These were kicked loose when we converted to span<>, and there isn't any reason to believe that the remaining string is long enough to complete a multibyte sequence. Bug: 831100 Change-Id: Iae4363f72b4d7ff088a73994d0fe5dab4077ee9e Reviewed-on: https://pdfium-review.googlesource.com/30291 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'core')
-rw-r--r--core/fpdfapi/font/cpdf_cmap.cpp14
1 files changed, 8 insertions, 6 deletions
diff --git a/core/fpdfapi/font/cpdf_cmap.cpp b/core/fpdfapi/font/cpdf_cmap.cpp
index 8e46a75112..d6b4264b6b 100644
--- a/core/fpdfapi/font/cpdf_cmap.cpp
+++ b/core/fpdfapi/font/cpdf_cmap.cpp
@@ -342,22 +342,24 @@ uint32_t CPDF_CMap::GetNextChar(const ByteStringView& pString,
auto pBytes = pString.span();
switch (m_CodingScheme) {
case OneByte: {
- return pBytes[offset++];
+ return offset < pBytes.size() ? pBytes[offset++] : 0;
}
case TwoBytes: {
- uint8_t byte1 = pBytes[offset++];
- return 256 * byte1 + pBytes[offset++];
+ uint8_t byte1 = offset < pBytes.size() ? pBytes[offset++] : 0;
+ uint8_t byte2 = offset < pBytes.size() ? pBytes[offset++] : 0;
+ return 256 * byte1 + byte2;
}
case MixedTwoBytes: {
- uint8_t byte1 = pBytes[offset++];
+ uint8_t byte1 = offset < pBytes.size() ? pBytes[offset++] : 0;
if (!m_MixedTwoByteLeadingBytes[byte1])
return byte1;
- return 256 * byte1 + pBytes[offset++];
+ uint8_t byte2 = offset < pBytes.size() ? pBytes[offset++] : 0;
+ return 256 * byte1 + byte2;
}
case MixedFourBytes: {
uint8_t codes[4];
int char_size = 1;
- codes[0] = pBytes[offset++];
+ codes[0] = offset < pBytes.size() ? pBytes[offset++] : 0;
while (1) {
int ret = CheckFourByteCodeRange(codes, char_size,
m_MixedFourByteLeadingRanges);