From d332e2d6d65724486def154f7486ba9088849c1d Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Fri, 2 Jun 2017 12:46:49 -0700 Subject: Prevent OOB access in CXFA_FM2JSContext::IsIsoTimeFormat(). Change-Id: I3fe0460f3a4cfd7d48ccfc79d0256fc83d7fbac8 Reviewed-on: https://pdfium-review.googlesource.com/6235 Reviewed-by: Tom Sepez Commit-Queue: Lei Zhang --- xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp | 54 ++++++++++++++++-------------------- 1 file changed, 24 insertions(+), 30 deletions(-) diff --git a/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp b/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp index 2da86eb896..3aab971229 100644 --- a/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp +++ b/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp @@ -1779,9 +1779,6 @@ bool CXFA_FM2JSContext::IsIsoTimeFormat(const char* pData, int32_t iPos = 0; int32_t iIndex = 0; while (iIndex < iZone) { - if (iIndex >= iZone) - break; - if (!std::isdigit(pData[iIndex])) return false; @@ -1818,43 +1815,44 @@ bool CXFA_FM2JSContext::IsIsoTimeFormat(const char* pData, iIndex += 2; } } - if (pData[iIndex] == '.') { - ++iIndex; - char strSec[4]; - strSec[3] = '\0'; - if (!std::isdigit(pData[iIndex])) - return false; - strSec[0] = pData[iIndex]; - if (!std::isdigit(pData[iIndex + 1])) + if (iIndex < iLength && pData[iIndex] == '.') { + constexpr int kSubSecondLength = 3; + if (iIndex + kSubSecondLength >= iLength) return false; - strSec[1] = pData[iIndex + 1]; - if (!std::isdigit(pData[iIndex + 2])) - return false; + ++iIndex; + char strSec[kSubSecondLength + 1]; + for (int i = 0; i < kSubSecondLength; ++i) { + char c = pData[iIndex + i]; + if (!std::isdigit(c)) + return false; + strSec[i] = c; + } + strSec[kSubSecondLength] = '\0'; - strSec[2] = pData[iIndex + 2]; iMilliSecond = FXSYS_atoi(strSec); if (iMilliSecond > 100) { iMilliSecond = 0; return false; } - iIndex += 3; + iIndex += kSubSecondLength; } - if (pData[iIndex] == 'z' || pData[iIndex] == 'Z') + + if (iIndex < iLength && FXSYS_tolower(pData[iIndex]) == 'z') return true; int32_t iSign = 1; - if (pData[iIndex] == '+') { - ++iIndex; - } else if (pData[iIndex] == '-') { - iSign = -1; - ++iIndex; + if (iIndex < iLength) { + if (pData[iIndex] == '+') { + ++iIndex; + } else if (pData[iIndex] == '-') { + iSign = -1; + ++iIndex; + } } iPos = 0; while (iIndex < iLength) { - if (iIndex >= iLength) - return false; if (!std::isdigit(pData[iIndex])) return false; @@ -1932,12 +1930,8 @@ bool CXFA_FM2JSContext::IsIsoDateTimeFormat(const char* pData, (iLength - iIndex != 15)) { return true; } - if (!IsIsoTimeFormat(pData + iIndex, iLength - iIndex, iHour, iMinute, - iSecond, iMillionSecond, iZoneHour, iZoneMinute)) { - return false; - } - - return true; + return IsIsoTimeFormat(pData + iIndex, iLength - iIndex, iHour, iMinute, + iSecond, iMillionSecond, iZoneHour, iZoneMinute); } // static -- cgit v1.2.3