From 59a8f48571fc1e1b11f070c54e5d75b8b1c2e9a2 Mon Sep 17 00:00:00 2001 From: Tom Sepez Date: Thu, 12 Apr 2018 14:06:29 +0000 Subject: Bounds check in CPDF_CMap::GetNextChar. These were kicked loose when we converted to span<>, and there isn't any reason to believe that the remaining string is long enough to complete a multibyte sequence. Bug: 831100 Change-Id: Iae4363f72b4d7ff088a73994d0fe5dab4077ee9e Reviewed-on: https://pdfium-review.googlesource.com/30291 Reviewed-by: dsinclair Commit-Queue: dsinclair --- core/fpdfapi/font/cpdf_cmap.cpp | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/core/fpdfapi/font/cpdf_cmap.cpp b/core/fpdfapi/font/cpdf_cmap.cpp index 8e46a75112..d6b4264b6b 100644 --- a/core/fpdfapi/font/cpdf_cmap.cpp +++ b/core/fpdfapi/font/cpdf_cmap.cpp @@ -342,22 +342,24 @@ uint32_t CPDF_CMap::GetNextChar(const ByteStringView& pString, auto pBytes = pString.span(); switch (m_CodingScheme) { case OneByte: { - return pBytes[offset++]; + return offset < pBytes.size() ? pBytes[offset++] : 0; } case TwoBytes: { - uint8_t byte1 = pBytes[offset++]; - return 256 * byte1 + pBytes[offset++]; + uint8_t byte1 = offset < pBytes.size() ? pBytes[offset++] : 0; + uint8_t byte2 = offset < pBytes.size() ? pBytes[offset++] : 0; + return 256 * byte1 + byte2; } case MixedTwoBytes: { - uint8_t byte1 = pBytes[offset++]; + uint8_t byte1 = offset < pBytes.size() ? pBytes[offset++] : 0; if (!m_MixedTwoByteLeadingBytes[byte1]) return byte1; - return 256 * byte1 + pBytes[offset++]; + uint8_t byte2 = offset < pBytes.size() ? pBytes[offset++] : 0; + return 256 * byte1 + byte2; } case MixedFourBytes: { uint8_t codes[4]; int char_size = 1; - codes[0] = pBytes[offset++]; + codes[0] = offset < pBytes.size() ? pBytes[offset++] : 0; while (1) { int ret = CheckFourByteCodeRange(codes, char_size, m_MixedFourByteLeadingRanges); -- cgit v1.2.3