From eed247e9cb3b0e9ce5dcb8bf6ee7673c9dd3e544 Mon Sep 17 00:00:00 2001
From: Henrique Nakashima <hnakashima@chromium.org>
Date: Wed, 19 Jul 2017 14:12:03 -0400
Subject: Converting CFX_ByteTextBuf to ostringstream in SAX.

Respin of https://pdfium-review.googlesource.com/c/6592 with fixes
that avoid invalid reads.

Bug: pdfium:731
Change-Id: I9395063505ba1a5c610e21b089ab8aa1a0a5b86f
Reviewed-on: https://pdfium-review.googlesource.com/8290
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
---
 BUILD.gn                                |  1 +
 core/fxcrt/xml/cfx_saxcontext.cpp       |  9 +++++++++
 core/fxcrt/xml/cfx_saxcontext.h         |  7 +++++--
 core/fxcrt/xml/cfx_saxreaderhandler.cpp | 28 ++++++++++++++--------------
 4 files changed, 29 insertions(+), 16 deletions(-)
 create mode 100644 core/fxcrt/xml/cfx_saxcontext.cpp

diff --git a/BUILD.gn b/BUILD.gn
index 1853d78e5c..e02882085b 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -887,6 +887,7 @@ static_library("fxcrt") {
       "core/fxcrt/fx_arabic.h",
       "core/fxcrt/ifx_chariter.h",
       "core/fxcrt/ifx_locale.h",
+      "core/fxcrt/xml/cfx_saxcontext.cpp",
       "core/fxcrt/xml/cfx_saxcontext.h",
       "core/fxcrt/xml/cfx_saxreader.cpp",
       "core/fxcrt/xml/cfx_saxreader.h",
diff --git a/core/fxcrt/xml/cfx_saxcontext.cpp b/core/fxcrt/xml/cfx_saxcontext.cpp
new file mode 100644
index 0000000000..4e2f0c58c9
--- /dev/null
+++ b/core/fxcrt/xml/cfx_saxcontext.cpp
@@ -0,0 +1,9 @@
+// Copyright 2017 PDFium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "core/fxcrt/xml/cfx_saxcontext.h"
+
+CFX_SAXContext::CFX_SAXContext() : m_eNode(CFX_SAXItem::Type::Unknown) {}
+
+CFX_SAXContext::~CFX_SAXContext() {}
diff --git a/core/fxcrt/xml/cfx_saxcontext.h b/core/fxcrt/xml/cfx_saxcontext.h
index 7afebed98d..fcc889f7a3 100644
--- a/core/fxcrt/xml/cfx_saxcontext.h
+++ b/core/fxcrt/xml/cfx_saxcontext.h
@@ -7,15 +7,18 @@
 #ifndef CORE_FXCRT_XML_CFX_SAXCONTEXT_H_
 #define CORE_FXCRT_XML_CFX_SAXCONTEXT_H_
 
+#include <sstream>
+
 #include "core/fxcrt/fx_basic.h"
 #include "core/fxcrt/fx_string.h"
 #include "core/fxcrt/xml/cfx_saxreader.h"
 
 class CFX_SAXContext {
  public:
-  CFX_SAXContext() : m_eNode(CFX_SAXItem::Type::Unknown) {}
+  CFX_SAXContext();
+  ~CFX_SAXContext();
 
-  CFX_ByteTextBuf m_TextBuf;
+  std::ostringstream m_TextBuf;
   CFX_ByteString m_bsTagName;
   CFX_SAXItem::Type m_eNode;
 };
diff --git a/core/fxcrt/xml/cfx_saxreaderhandler.cpp b/core/fxcrt/xml/cfx_saxreaderhandler.cpp
index e7b6cd186c..b8399ff5cc 100644
--- a/core/fxcrt/xml/cfx_saxreaderhandler.cpp
+++ b/core/fxcrt/xml/cfx_saxreaderhandler.cpp
@@ -6,6 +6,8 @@
 
 #include "core/fxcrt/xml/cfx_saxreaderhandler.h"
 
+#include <string>
+
 #include "core/fxcrt/cfx_checksumcontext.h"
 
 CFX_SAXReaderHandler::CFX_SAXReaderHandler(CFX_ChecksumContext* pContext)
@@ -26,12 +28,11 @@ CFX_SAXContext* CFX_SAXReaderHandler::OnTagEnter(
   }
 
   m_SAXContext.m_eNode = eType;
-  CFX_ByteTextBuf& textBuf = m_SAXContext.m_TextBuf;
-  textBuf << "<";
+  m_SAXContext.m_TextBuf << "<";
   if (eType == CFX_SAXItem::Type::Instruction)
-    textBuf << "?";
+    m_SAXContext.m_TextBuf << "?";
 
-  textBuf << bsTagName;
+  m_SAXContext.m_TextBuf << bsTagName;
   m_SAXContext.m_bsTagName = bsTagName;
   return &m_SAXContext;
 }
@@ -59,24 +60,22 @@ void CFX_SAXReaderHandler::OnTagData(CFX_SAXContext* pTag,
   if (!pTag)
     return;
 
-  CFX_ByteTextBuf& textBuf = pTag->m_TextBuf;
   if (eType == CFX_SAXItem::Type::CharData)
-    textBuf << "<![CDATA[";
+    pTag->m_TextBuf << "<![CDATA[";
 
-  textBuf << bsData;
+  pTag->m_TextBuf << bsData;
   if (eType == CFX_SAXItem::Type::CharData)
-    textBuf << "]]>";
+    pTag->m_TextBuf << "]]>";
 }
 
 void CFX_SAXReaderHandler::OnTagClose(CFX_SAXContext* pTag, uint32_t dwEndPos) {
   if (!pTag)
     return;
 
-  CFX_ByteTextBuf& textBuf = pTag->m_TextBuf;
   if (pTag->m_eNode == CFX_SAXItem::Type::Instruction)
-    textBuf << "?>";
+    pTag->m_TextBuf << "?>";
   else if (pTag->m_eNode == CFX_SAXItem::Type::Tag)
-    textBuf << "></" << pTag->m_bsTagName.AsStringC() << ">";
+    pTag->m_TextBuf << "></" << pTag->m_bsTagName.AsStringC() << ">";
 
   UpdateChecksum(false);
 }
@@ -107,11 +106,12 @@ void CFX_SAXReaderHandler::OnTargetData(CFX_SAXContext* pTag,
 }
 
 void CFX_SAXReaderHandler::UpdateChecksum(bool bCheckSpace) {
-  int32_t iLength = m_SAXContext.m_TextBuf.GetLength();
+  int32_t iLength = m_SAXContext.m_TextBuf.tellp();
   if (iLength < 1)
     return;
 
-  uint8_t* pBuffer = m_SAXContext.m_TextBuf.GetBuffer();
+  std::string sBuffer = m_SAXContext.m_TextBuf.str();
+  const uint8_t* pBuffer = reinterpret_cast<const uint8_t*>(sBuffer.c_str());
   bool bUpdata = true;
   if (bCheckSpace) {
     bUpdata = false;
@@ -124,5 +124,5 @@ void CFX_SAXReaderHandler::UpdateChecksum(bool bCheckSpace) {
   if (bUpdata)
     m_pContext->Update(CFX_ByteStringC(pBuffer, iLength));
 
-  m_SAXContext.m_TextBuf.Clear();
+  m_SAXContext.m_TextBuf.str("");
 }
-- 
cgit v1.2.3