From dce09b18b48837d8006694b9dc3b2d026e5e7869 Mon Sep 17 00:00:00 2001 From: Henrique Nakashima Date: Fri, 1 Sep 2017 12:14:26 -0400 Subject: Fix integer overflow in Buffer_itoa when passing INT_MIN. Bug: chromium:760034 Change-Id: Id0862749b1454e065de4de7d746a27e78ac58e30 Reviewed-on: https://pdfium-review.googlesource.com/12730 Commit-Queue: Henrique Nakashima Reviewed-by: Tom Sepez --- core/fpdfapi/parser/cpdf_number.cpp | 2 +- core/fxcrt/cfx_bytestring.cpp | 32 +++----------------------------- core/fxcrt/cfx_bytestring.h | 4 +--- core/fxcrt/cfx_bytestring_unittest.cpp | 15 +++++++++++++++ xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp | 2 +- 5 files changed, 21 insertions(+), 34 deletions(-) diff --git a/core/fpdfapi/parser/cpdf_number.cpp b/core/fpdfapi/parser/cpdf_number.cpp index 50c48d6cb8..9afe30adca 100644 --- a/core/fpdfapi/parser/cpdf_number.cpp +++ b/core/fpdfapi/parser/cpdf_number.cpp @@ -53,7 +53,7 @@ void CPDF_Number::SetString(const CFX_ByteString& str) { } CFX_ByteString CPDF_Number::GetString() const { - return m_bInteger ? CFX_ByteString::FormatInteger(m_Integer, FXFORMAT_SIGNED) + return m_bInteger ? CFX_ByteString::FormatInteger(m_Integer) : CFX_ByteString::FormatFloat(m_Float); } diff --git a/core/fxcrt/cfx_bytestring.cpp b/core/fxcrt/cfx_bytestring.cpp index a8b65b5c2f..ab7c9aee99 100644 --- a/core/fxcrt/cfx_bytestring.cpp +++ b/core/fxcrt/cfx_bytestring.cpp @@ -27,33 +27,6 @@ template struct std::hash; namespace { -int Buffer_itoa(char* buf, int i, uint32_t flags) { - if (i == 0) { - buf[0] = '0'; - return 1; - } - char buf1[32]; - int buf_pos = 31; - uint32_t u = i; - if ((flags & FXFORMAT_SIGNED) && i < 0) { - u = -i; - } - int base = 10; - const char* str = "0123456789abcdef"; - while (u != 0) { - buf1[buf_pos--] = str[u % base]; - u = u / base; - } - if ((flags & FXFORMAT_SIGNED) && i < 0) { - buf1[buf_pos--] = '-'; - } - int len = 31 - buf_pos; - for (int ii = 0; ii < len; ii++) { - buf[ii] = buf1[ii + buf_pos + 1]; - } - return len; -} - const char* FX_strstr(const char* haystack, int haystack_len, const char* needle, @@ -499,9 +472,10 @@ void CFX_ByteString::AllocCopy(CFX_ByteString& dest, #define FORCE_UNICODE 0x20000 #define FORCE_INT64 0x40000 -CFX_ByteString CFX_ByteString::FormatInteger(int i, uint32_t flags) { +CFX_ByteString CFX_ByteString::FormatInteger(int i) { char buf[32]; - return CFX_ByteString(buf, Buffer_itoa(buf, i, flags)); + FXSYS_snprintf(buf, 32, "%d", i); + return CFX_ByteString(buf); } void CFX_ByteString::FormatV(const char* pFormat, va_list argList) { diff --git a/core/fxcrt/cfx_bytestring.h b/core/fxcrt/cfx_bytestring.h index ff43dab3bd..a47b5f89ab 100644 --- a/core/fxcrt/cfx_bytestring.h +++ b/core/fxcrt/cfx_bytestring.h @@ -171,9 +171,7 @@ class CFX_ByteString { uint32_t GetID() const { return AsStringC().GetID(); } -#define FXFORMAT_SIGNED 1 - - static CFX_ByteString FormatInteger(int i, uint32_t flags = 0); + static CFX_ByteString FormatInteger(int i); static CFX_ByteString FormatFloat(float f, int precision = 0); protected: diff --git a/core/fxcrt/cfx_bytestring_unittest.cpp b/core/fxcrt/cfx_bytestring_unittest.cpp index 497e0b6c2f..a590af3b14 100644 --- a/core/fxcrt/cfx_bytestring_unittest.cpp +++ b/core/fxcrt/cfx_bytestring_unittest.cpp @@ -1511,3 +1511,18 @@ TEST(fxcrt, OStreamByteStringCOverload) { EXPECT_EQ("abcdef", stream.str()); } } + +TEST(fxcrt, ByteStringFormatInteger) { + // Base case of 0. + EXPECT_EQ("0", CFX_ByteString::FormatInteger(0)); + + // Positive ordinary number. + EXPECT_EQ("123456", CFX_ByteString::FormatInteger(123456)); + + // Negative ordinary number. + EXPECT_EQ("-123456", CFX_ByteString::FormatInteger(-123456)); + + // int limits. + EXPECT_EQ("2147483647", CFX_ByteString::FormatInteger(INT_MAX)); + EXPECT_EQ("-2147483648", CFX_ByteString::FormatInteger(INT_MIN)); +} diff --git a/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp b/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp index 73e6c221dc..b68be12b31 100644 --- a/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp +++ b/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp @@ -5790,7 +5790,7 @@ CFX_ByteString CXFA_FM2JSContext::GenerateSomExpression( if (iIndexFlags == 1 || iIndexValue == 0) { return CFX_ByteString(szName, "[") + - CFX_ByteString::FormatInteger(iIndexValue, FXFORMAT_SIGNED) + "]"; + CFX_ByteString::FormatInteger(iIndexValue) + "]"; } CFX_ByteString szSomExp; if (iIndexFlags == 2) { -- cgit v1.2.3