summaryrefslogtreecommitdiff
path: root/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2017-06-02 12:46:49 -0700
committerChromium commit bot <commit-bot@chromium.org>2017-06-02 21:10:54 +0000
commitd332e2d6d65724486def154f7486ba9088849c1d (patch)
treed1d524497fb74a48bc933fc9d13c95a67a76c777 /xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp
parent3db875920a253a8541642a2aa913f474b125d67f (diff)
downloadpdfium-d332e2d6d65724486def154f7486ba9088849c1d.tar.xz
Prevent OOB access in CXFA_FM2JSContext::IsIsoTimeFormat().
Change-Id: I3fe0460f3a4cfd7d48ccfc79d0256fc83d7fbac8 Reviewed-on: https://pdfium-review.googlesource.com/6235 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org>
Diffstat (limited to 'xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp')
-rw-r--r--xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp54
1 files changed, 24 insertions, 30 deletions
diff --git a/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp b/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp
index 2da86eb896..3aab971229 100644
--- a/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp
@@ -1779,9 +1779,6 @@ bool CXFA_FM2JSContext::IsIsoTimeFormat(const char* pData,
int32_t iPos = 0;
int32_t iIndex = 0;
while (iIndex < iZone) {
- if (iIndex >= iZone)
- break;
-
if (!std::isdigit(pData[iIndex]))
return false;
@@ -1818,43 +1815,44 @@ bool CXFA_FM2JSContext::IsIsoTimeFormat(const char* pData,
iIndex += 2;
}
}
- if (pData[iIndex] == '.') {
- ++iIndex;
- char strSec[4];
- strSec[3] = '\0';
- if (!std::isdigit(pData[iIndex]))
- return false;
- strSec[0] = pData[iIndex];
- if (!std::isdigit(pData[iIndex + 1]))
+ if (iIndex < iLength && pData[iIndex] == '.') {
+ constexpr int kSubSecondLength = 3;
+ if (iIndex + kSubSecondLength >= iLength)
return false;
- strSec[1] = pData[iIndex + 1];
- if (!std::isdigit(pData[iIndex + 2]))
- return false;
+ ++iIndex;
+ char strSec[kSubSecondLength + 1];
+ for (int i = 0; i < kSubSecondLength; ++i) {
+ char c = pData[iIndex + i];
+ if (!std::isdigit(c))
+ return false;
+ strSec[i] = c;
+ }
+ strSec[kSubSecondLength] = '\0';
- strSec[2] = pData[iIndex + 2];
iMilliSecond = FXSYS_atoi(strSec);
if (iMilliSecond > 100) {
iMilliSecond = 0;
return false;
}
- iIndex += 3;
+ iIndex += kSubSecondLength;
}
- if (pData[iIndex] == 'z' || pData[iIndex] == 'Z')
+
+ if (iIndex < iLength && FXSYS_tolower(pData[iIndex]) == 'z')
return true;
int32_t iSign = 1;
- if (pData[iIndex] == '+') {
- ++iIndex;
- } else if (pData[iIndex] == '-') {
- iSign = -1;
- ++iIndex;
+ if (iIndex < iLength) {
+ if (pData[iIndex] == '+') {
+ ++iIndex;
+ } else if (pData[iIndex] == '-') {
+ iSign = -1;
+ ++iIndex;
+ }
}
iPos = 0;
while (iIndex < iLength) {
- if (iIndex >= iLength)
- return false;
if (!std::isdigit(pData[iIndex]))
return false;
@@ -1932,12 +1930,8 @@ bool CXFA_FM2JSContext::IsIsoDateTimeFormat(const char* pData,
(iLength - iIndex != 15)) {
return true;
}
- if (!IsIsoTimeFormat(pData + iIndex, iLength - iIndex, iHour, iMinute,
- iSecond, iMillionSecond, iZoneHour, iZoneMinute)) {
- return false;
- }
-
- return true;
+ return IsIsoTimeFormat(pData + iIndex, iLength - iIndex, iHour, iMinute,
+ iSecond, iMillionSecond, iZoneHour, iZoneMinute);
}
// static