diff options
author | dsinclair <dsinclair@chromium.org> | 2016-08-11 07:50:08 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-08-11 07:50:08 -0700 |
commit | 22eeccb34f91f9932f7cec295bcaf641ba249e3a (patch) | |
tree | 9775d10c30ff05cabd4d8238a037d3865588ec94 /xfa/fde/xml/fde_xml_imp.cpp | |
parent | b4d1b576bccb5ca6cebe29288af014bd0f512af1 (diff) | |
download | pdfium-22eeccb34f91f9932f7cec295bcaf641ba249e3a.tar.xz |
Guard against undefined shift.
This Cl fixes the CFDE_XMLSyntaxParser::ParseTextChar() to handle entities
where the value goes negative. Currently this could cause an undefined-shift
as due to the (ch << 4) calls. Instead, detect if the value has gone negative
and return a space character.
BUG=chromium:603489
Review-Url: https://codereview.chromium.org/2223823003
Diffstat (limited to 'xfa/fde/xml/fde_xml_imp.cpp')
-rw-r--r-- | xfa/fde/xml/fde_xml_imp.cpp | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/xfa/fde/xml/fde_xml_imp.cpp b/xfa/fde/xml/fde_xml_imp.cpp index 4c6dcf989c..8e14f021ce 100644 --- a/xfa/fde/xml/fde_xml_imp.cpp +++ b/xfa/fde/xml/fde_xml_imp.cpp @@ -14,6 +14,8 @@ namespace { +const uint32_t kMaxCharRange = 0x10ffff; + const uint16_t g_XMLValidCharRange[][2] = {{0x09, 0x09}, {0x0A, 0x0A}, {0x0D, 0x0D}, @@ -1838,23 +1840,23 @@ FX_FILESIZE CFDE_XMLSyntaxParser::GetCurrentBinaryPos() const { return m_iParsedBytes + nDstLen; } -void CFDE_XMLSyntaxParser::ParseTextChar(FX_WCHAR ch) { +void CFDE_XMLSyntaxParser::ParseTextChar(FX_WCHAR character) { if (m_iIndexInBlock == m_iAllocStep) { m_pCurrentBlock = m_BlockBuffer.GetAvailableBlock(m_iIndexInBlock); if (!m_pCurrentBlock) { return; } } - m_pCurrentBlock[m_iIndexInBlock++] = ch; + m_pCurrentBlock[m_iIndexInBlock++] = character; m_iDataLength++; - if (m_iEntityStart > -1 && ch == L';') { + if (m_iEntityStart > -1 && character == L';') { CFX_WideString csEntity; m_BlockBuffer.GetTextData(csEntity, m_iEntityStart + 1, (m_iDataLength - 1) - m_iEntityStart - 1); int32_t iLen = csEntity.GetLength(); if (iLen > 0) { if (csEntity[0] == L'#') { - ch = 0; + uint32_t ch = 0; FX_WCHAR w; if (iLen > 1 && csEntity[1] == L'x') { for (int32_t i = 2; i < iLen; i++) { @@ -1872,14 +1874,17 @@ void CFDE_XMLSyntaxParser::ParseTextChar(FX_WCHAR ch) { } else { for (int32_t i = 1; i < iLen; i++) { w = csEntity[i]; - if (w < L'0' || w > L'9') { + if (w < L'0' || w > L'9') break; - } ch = ch * 10 + w - L'0'; } } - if (ch != 0) { - m_BlockBuffer.SetTextChar(m_iEntityStart, ch); + if (ch > kMaxCharRange) + ch = ' '; + + character = static_cast<FX_WCHAR>(ch); + if (character != 0) { + m_BlockBuffer.SetTextChar(m_iEntityStart, character); m_iEntityStart++; } } else { @@ -1905,7 +1910,7 @@ void CFDE_XMLSyntaxParser::ParseTextChar(FX_WCHAR ch) { m_pCurrentBlock = m_BlockBuffer.GetAvailableBlock(m_iIndexInBlock); m_iEntityStart = -1; } else { - if (m_iEntityStart < 0 && ch == L'&') { + if (m_iEntityStart < 0 && character == L'&') { m_iEntityStart = m_iDataLength - 1; } } |