From 465c2a84ba709d932040c9e80db508e93c138da6 Mon Sep 17 00:00:00 2001
From: Bo Xu <bo_xu@foxitsoftware.com>
Date: Sat, 2 Aug 2014 15:13:46 -0700
Subject: Fix buffer size boundary check offset by 1

When newPos == file size, the current block will not be read or Get. If this block is a crucial part of the document (like m_pTrailer), the program will exit with parse error and
the document will not be rendered.

BUG=None
R=jun_fang@foxitsoftware.com

Review URL: https://codereview.chromium.org/440563003
---
 fpdfsdk/src/fpdfview.cpp | 46 +++++++++++++++++++++-------------------------
 1 file changed, 21 insertions(+), 25 deletions(-)

diff --git a/fpdfsdk/src/fpdfview.cpp b/fpdfsdk/src/fpdfview.cpp
index 63d4fbdcde..af24e71b94 100644
--- a/fpdfsdk/src/fpdfview.cpp
+++ b/fpdfsdk/src/fpdfview.cpp
@@ -35,27 +35,25 @@ FX_BOOL CPDF_CustomAccess::GetByte(FX_DWORD pos, FX_BYTE& ch)
 
 FX_BOOL CPDF_CustomAccess::GetBlock(FX_DWORD pos, FX_LPBYTE pBuf, FX_DWORD size)
 {
-        FX_SAFE_DWORD newPos = size;
-        newPos += pos;
-	if (!newPos.IsValid() || newPos.ValueOrDie() >= m_FileAccess.m_FileLen) {
-            return FALSE;
-        }
-
-	return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, pos, pBuf, size);
+    FX_SAFE_DWORD newPos = size;
+    newPos += pos;
+    if (!newPos.IsValid() || newPos.ValueOrDie() > m_FileAccess.m_FileLen) {
+        return FALSE;
+    }
+    return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, pos, pBuf, size);
 }
 
 FX_BOOL CPDF_CustomAccess::ReadBlock(void* buffer, FX_FILESIZE offset, size_t size)
 {
-        if (offset < 0) {
-            return FALSE;
-        }
-        FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t>(size);
-        newPos += offset;
-	if (!newPos.IsValid() || newPos.ValueOrDie() >= m_FileAccess.m_FileLen) {
-            return FALSE;
-        }
-
-	return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, offset,(FX_LPBYTE) buffer, size);
+    if (offset < 0) {
+        return FALSE;
+    }
+    FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t>(size);
+    newPos += offset;
+    if (!newPos.IsValid() || newPos.ValueOrDie() > m_FileAccess.m_FileLen) {
+        return FALSE;
+    }
+    return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, offset,(FX_LPBYTE) buffer, size);
 }
 
 //0 bit: FPDF_POLICY_MACHINETIME_ACCESS
@@ -301,15 +299,13 @@ public:
 	virtual FX_FILESIZE		GetSize() {return m_size;}
 	virtual FX_BOOL			ReadBlock(void* buffer, FX_FILESIZE offset, size_t size) 
 	{
-                if (offset < 0) {
-                    return FALSE;
-                }
-
-                FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t>(size);
-                newPos += offset;
-                if (!newPos.IsValid() || newPos.ValueOrDie() >= (FX_DWORD)m_size) return FALSE;
+        if (offset < 0) {
+            return FALSE;
+        }
+        FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t>(size);
+        newPos += offset;
+        if (!newPos.IsValid() || newPos.ValueOrDie() > (FX_DWORD)m_size) return FALSE;
 		FXSYS_memcpy(buffer, m_pBuf+offset, size);
-
 		return TRUE;
 	}
 private:
-- 
cgit v1.2.3