From 391783579c5a8aad346b56903b51e6551600550b Mon Sep 17 00:00:00 2001 From: Oliver Chang Date: Thu, 17 Dec 2015 16:47:14 -0800 Subject: Fix a sentinel length value used in CFX_CMapByteStringToPtr::SetAt It looks like an key length of 0 was incorrectly assumed to denote an free entry. Fixes a memory leak in FPDFViewEmbeddertest.Crasher_451830 due to values with empty keys being incorrectly overwritten. R=tsepez@chromium.org, thestig@chromium.org Review URL: https://codereview.chromium.org/1534953002 . --- core/src/fxcrt/fx_basic_maps.cpp | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/core/src/fxcrt/fx_basic_maps.cpp b/core/src/fxcrt/fx_basic_maps.cpp index f8a0390163..f7d127f7da 100644 --- a/core/src/fxcrt/fx_basic_maps.cpp +++ b/core/src/fxcrt/fx_basic_maps.cpp @@ -7,6 +7,13 @@ #include "core/include/fxcrt/fx_basic.h" #include "plex.h" +namespace { + +const uint8_t kFreeLength = 0xfe; +const uint8_t kHasAllocatedBufferLength = 0xff; + +} // namespace + CFX_MapPtrToPtr::CFX_MapPtrToPtr(int nBlockSize) : m_pHashTable(NULL), m_nHashTableSize(17), @@ -165,7 +172,7 @@ struct _CompactString { uint8_t* m_pBuffer; }; static void _CompactStringRelease(_CompactString* pCompact) { - if (pCompact->m_CompactLen == 0xff) { + if (pCompact->m_CompactLen == kHasAllocatedBufferLength) { FX_Free(pCompact->m_pBuffer); } } @@ -178,7 +185,7 @@ static FX_BOOL _CompactStringSame(_CompactString* pCompact, } return FXSYS_memcmp(&pCompact->m_LenHigh, pStr, len) == 0; } - if (pCompact->m_CompactLen != 0xff || + if (pCompact->m_CompactLen != kHasAllocatedBufferLength || pCompact->m_LenHigh * 256 + pCompact->m_LenLow != len) { return FALSE; } @@ -192,18 +199,18 @@ static void _CompactStringStore(_CompactString* pCompact, FXSYS_memcpy(&pCompact->m_LenHigh, pStr, len); return; } - pCompact->m_CompactLen = 0xff; + pCompact->m_CompactLen = kHasAllocatedBufferLength; pCompact->m_LenHigh = len / 256; pCompact->m_LenLow = len % 256; pCompact->m_pBuffer = FX_Alloc(uint8_t, len); FXSYS_memcpy(pCompact->m_pBuffer, pStr, len); } static CFX_ByteStringC _CompactStringGet(_CompactString* pCompact) { - if (pCompact->m_CompactLen == 0xff) { + if (pCompact->m_CompactLen == kHasAllocatedBufferLength) { return CFX_ByteStringC(pCompact->m_pBuffer, pCompact->m_LenHigh * 256 + pCompact->m_LenLow); } - if (pCompact->m_CompactLen == 0xfe) { + if (pCompact->m_CompactLen == kFreeLength) { return CFX_ByteStringC(); } return CFX_ByteStringC(&pCompact->m_LenHigh, pCompact->m_CompactLen); @@ -228,7 +235,7 @@ FX_POSITION CFX_CMapByteStringToPtr::GetStartPosition() const { int size = m_Buffer.GetSize(); for (int i = 0; i < size; i++) { _CompactString* pKey = (_CompactString*)m_Buffer.GetAt(i); - if (pKey->m_CompactLen != 0xfe) { + if (pKey->m_CompactLen != kFreeLength) { return (FX_POSITION)(uintptr_t)(i + 1); } } @@ -248,7 +255,7 @@ void CFX_CMapByteStringToPtr::GetNextAssoc(FX_POSITION& rNextPosition, int size = m_Buffer.GetSize(); while (index < size) { pKey = (_CompactString*)m_Buffer.GetAt(index); - if (pKey->m_CompactLen != 0xfe) { + if (pKey->m_CompactLen != kFreeLength) { rNextPosition = (FX_POSITION)(uintptr_t)(index + 1); return; } @@ -267,7 +274,7 @@ void* CFX_CMapByteStringToPtr::GetNextValue(FX_POSITION& rNextPosition) const { int size = m_Buffer.GetSize(); while (index < size) { pKey = (_CompactString*)m_Buffer.GetAt(index); - if (pKey->m_CompactLen != 0xfe) { + if (pKey->m_CompactLen != kFreeLength) { rNextPosition = (FX_POSITION)(uintptr_t)(index + 1); return rValue; } @@ -304,7 +311,7 @@ void CFX_CMapByteStringToPtr::SetAt(const CFX_ByteStringC& key, void* value) { } for (int index = 0; index < size; index++) { _CompactString* pKey = (_CompactString*)m_Buffer.GetAt(index); - if (pKey->m_CompactLen) { + if (pKey->m_CompactLen != kFreeLength) { continue; } _CompactStringStore(pKey, key.GetPtr(), key_len); @@ -331,7 +338,7 @@ void CFX_CMapByteStringToPtr::RemoveKey(const CFX_ByteStringC& key) { continue; } _CompactStringRelease(pKey); - pKey->m_CompactLen = 0xfe; + pKey->m_CompactLen = kFreeLength; return; } } @@ -340,7 +347,7 @@ int CFX_CMapByteStringToPtr::GetCount() const { int size = m_Buffer.GetSize(); for (int i = 0; i < size; i++) { _CompactString* pKey = (_CompactString*)m_Buffer.GetAt(i); - if (pKey->m_CompactLen != 0xfe) { + if (pKey->m_CompactLen != kFreeLength) { count++; } } -- cgit v1.2.3