From 05ea7e1ae677d0d5872f7ccbaf28f594ad6d94d9 Mon Sep 17 00:00:00 2001
From: Ryan Harrison <rharrison@chromium.org>
Date: Fri, 11 Aug 2017 16:24:25 -0400
Subject: Remove potential out of bounds call to GetAt()

Since m_pos is passed into GetAt() on the underlying string in
getCurrentChar(), the value of it needs to confirmed to be valid after
decrementing. Some types were changed to reflect the values being
stored.

BUG=chromium:752480

Change-Id: Ib6d6f52326defd31785e70a17049a08b64dbe069
Reviewed-on: https://pdfium-review.googlesource.com/10652
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 fxbarcode/datamatrix/BC_C40Encoder.cpp     | 10 ++++++++--
 fxbarcode/datamatrix/BC_EncoderContext.cpp | 12 ++++++------
 fxbarcode/datamatrix/BC_EncoderContext.h   | 10 +++++-----
 3 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/fxbarcode/datamatrix/BC_C40Encoder.cpp b/fxbarcode/datamatrix/BC_C40Encoder.cpp
index e994774c4d..8edd9eccfe 100644
--- a/fxbarcode/datamatrix/BC_C40Encoder.cpp
+++ b/fxbarcode/datamatrix/BC_C40Encoder.cpp
@@ -189,8 +189,14 @@ int32_t CBC_C40Encoder::encodeChar(wchar_t c, CFX_WideString& sb, int32_t& e) {
 int32_t CBC_C40Encoder::BacktrackOneCharacter(CBC_EncoderContext* context,
                                               CFX_WideString* buffer,
                                               int32_t lastCharSize) {
+  if (context->m_pos < 1)
+    return -1;
+
   int32_t count = buffer->GetLength();
-  buffer->Delete(count - lastCharSize, count);
+  if (count < lastCharSize)
+    return -1;
+
+  buffer->Delete(count - lastCharSize, lastCharSize);
   context->m_pos--;
   wchar_t c = context->getCurrentChar();
   int32_t e = BCExceptionNO;
@@ -199,7 +205,7 @@ int32_t CBC_C40Encoder::BacktrackOneCharacter(CBC_EncoderContext* context,
   if (e != BCExceptionNO)
     return -1;
 
-  assert(len > 0);
+  ASSERT(len > 0);
   context->resetSymbolInfo();
   return len;
 }
diff --git a/fxbarcode/datamatrix/BC_EncoderContext.cpp b/fxbarcode/datamatrix/BC_EncoderContext.cpp
index 40855fcbd8..404c07d980 100644
--- a/fxbarcode/datamatrix/BC_EncoderContext.cpp
+++ b/fxbarcode/datamatrix/BC_EncoderContext.cpp
@@ -34,9 +34,9 @@ CBC_EncoderContext::CBC_EncoderContext(const CFX_WideString& msg,
   CFX_ByteString dststr;
   CBC_UtilCodingConvert::UnicodeToUTF8(msg, dststr);
   CFX_WideString sb;
-  int32_t c = dststr.GetLength();
-  for (int32_t i = 0; i < c; i++) {
-    wchar_t ch = (wchar_t)(dststr.GetAt(i) & 0xff);
+  FX_STRSIZE c = dststr.GetLength();
+  for (FX_STRSIZE i = 0; i < c; i++) {
+    wchar_t ch = static_cast<wchar_t>(dststr.GetAt(i) & 0xff);
     if (ch == '?' && dststr.GetAt(i) != '?') {
       e = BCExceptionCharactersOutsideISO88591Encoding;
     }
@@ -73,7 +73,7 @@ void CBC_EncoderContext::writeCodewords(const CFX_WideString& codewords) {
 void CBC_EncoderContext::writeCodeword(wchar_t codeword) {
   m_codewords += codeword;
 }
-int32_t CBC_EncoderContext::getCodewordCount() {
+FX_STRSIZE CBC_EncoderContext::getCodewordCount() {
   return m_codewords.GetLength();
 }
 void CBC_EncoderContext::signalEncoderChange(int32_t encoding) {
@@ -85,7 +85,7 @@ void CBC_EncoderContext::resetEncoderSignal() {
 bool CBC_EncoderContext::hasMoreCharacters() {
   return m_pos < getTotalMessageCharCount();
 }
-int32_t CBC_EncoderContext::getRemainingCharacters() {
+FX_STRSIZE CBC_EncoderContext::getRemainingCharacters() {
   return getTotalMessageCharCount() - m_pos;
 }
 void CBC_EncoderContext::updateSymbolInfo(int32_t& e) {
@@ -103,6 +103,6 @@ void CBC_EncoderContext::resetSymbolInfo() {
   m_allowRectangular = true;
 }
 
-int32_t CBC_EncoderContext::getTotalMessageCharCount() {
+FX_STRSIZE CBC_EncoderContext::getTotalMessageCharCount() {
   return m_msg.GetLength() - m_skipAtEnd;
 }
diff --git a/fxbarcode/datamatrix/BC_EncoderContext.h b/fxbarcode/datamatrix/BC_EncoderContext.h
index 4931501c45..ef4c38ebab 100644
--- a/fxbarcode/datamatrix/BC_EncoderContext.h
+++ b/fxbarcode/datamatrix/BC_EncoderContext.h
@@ -25,26 +25,26 @@ class CBC_EncoderContext {
   wchar_t getCurrent();
   void writeCodewords(const CFX_WideString& codewords);
   void writeCodeword(wchar_t codeword);
-  int32_t getCodewordCount();
+  FX_STRSIZE getCodewordCount();
   void signalEncoderChange(int32_t encoding);
   void resetEncoderSignal();
   bool hasMoreCharacters();
-  int32_t getRemainingCharacters();
+  FX_STRSIZE getRemainingCharacters();
   void updateSymbolInfo(int32_t& e);
   void updateSymbolInfo(int32_t len, int32_t& e);
   void resetSymbolInfo();
 
   CFX_WideString m_msg;
   CFX_WideString m_codewords;
-  int32_t m_pos;
+  FX_STRSIZE m_pos;
   int32_t m_newEncoding;
   CFX_UnownedPtr<CBC_SymbolInfo> m_symbolInfo;
 
  private:
-  int32_t getTotalMessageCharCount();
+  FX_STRSIZE getTotalMessageCharCount();
 
   bool m_allowRectangular;  // Force square when false.
-  int32_t m_skipAtEnd;
+  FX_STRSIZE m_skipAtEnd;
 };
 
 #endif  // FXBARCODE_DATAMATRIX_BC_ENCODERCONTEXT_H_
-- 
cgit v1.2.3