From d332e2d6d65724486def154f7486ba9088849c1d Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Fri, 2 Jun 2017 12:46:49 -0700
Subject: Prevent OOB access in CXFA_FM2JSContext::IsIsoTimeFormat().

Change-Id: I3fe0460f3a4cfd7d48ccfc79d0256fc83d7fbac8
Reviewed-on: https://pdfium-review.googlesource.com/6235
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
---
 xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp | 54 ++++++++++++++++--------------------
 1 file changed, 24 insertions(+), 30 deletions(-)

diff --git a/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp b/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp
index 2da86eb896..3aab971229 100644
--- a/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp
@@ -1779,9 +1779,6 @@ bool CXFA_FM2JSContext::IsIsoTimeFormat(const char* pData,
   int32_t iPos = 0;
   int32_t iIndex = 0;
   while (iIndex < iZone) {
-    if (iIndex >= iZone)
-      break;
-
     if (!std::isdigit(pData[iIndex]))
       return false;
 
@@ -1818,43 +1815,44 @@ bool CXFA_FM2JSContext::IsIsoTimeFormat(const char* pData,
       iIndex += 2;
     }
   }
-  if (pData[iIndex] == '.') {
-    ++iIndex;
-    char strSec[4];
-    strSec[3] = '\0';
-    if (!std::isdigit(pData[iIndex]))
-      return false;
 
-    strSec[0] = pData[iIndex];
-    if (!std::isdigit(pData[iIndex + 1]))
+  if (iIndex < iLength && pData[iIndex] == '.') {
+    constexpr int kSubSecondLength = 3;
+    if (iIndex + kSubSecondLength >= iLength)
       return false;
 
-    strSec[1] = pData[iIndex + 1];
-    if (!std::isdigit(pData[iIndex + 2]))
-      return false;
+    ++iIndex;
+    char strSec[kSubSecondLength + 1];
+    for (int i = 0; i < kSubSecondLength; ++i) {
+      char c = pData[iIndex + i];
+      if (!std::isdigit(c))
+        return false;
+      strSec[i] = c;
+    }
+    strSec[kSubSecondLength] = '\0';
 
-    strSec[2] = pData[iIndex + 2];
     iMilliSecond = FXSYS_atoi(strSec);
     if (iMilliSecond > 100) {
       iMilliSecond = 0;
       return false;
     }
-    iIndex += 3;
+    iIndex += kSubSecondLength;
   }
-  if (pData[iIndex] == 'z' || pData[iIndex] == 'Z')
+
+  if (iIndex < iLength && FXSYS_tolower(pData[iIndex]) == 'z')
     return true;
 
   int32_t iSign = 1;
-  if (pData[iIndex] == '+') {
-    ++iIndex;
-  } else if (pData[iIndex] == '-') {
-    iSign = -1;
-    ++iIndex;
+  if (iIndex < iLength) {
+    if (pData[iIndex] == '+') {
+      ++iIndex;
+    } else if (pData[iIndex] == '-') {
+      iSign = -1;
+      ++iIndex;
+    }
   }
   iPos = 0;
   while (iIndex < iLength) {
-    if (iIndex >= iLength)
-      return false;
     if (!std::isdigit(pData[iIndex]))
       return false;
 
@@ -1932,12 +1930,8 @@ bool CXFA_FM2JSContext::IsIsoDateTimeFormat(const char* pData,
       (iLength - iIndex != 15)) {
     return true;
   }
-  if (!IsIsoTimeFormat(pData + iIndex, iLength - iIndex, iHour, iMinute,
-                       iSecond, iMillionSecond, iZoneHour, iZoneMinute)) {
-    return false;
-  }
-
-  return true;
+  return IsIsoTimeFormat(pData + iIndex, iLength - iIndex, iHour, iMinute,
+                         iSecond, iMillionSecond, iZoneHour, iZoneMinute);
 }
 
 // static
-- 
cgit v1.2.3