From f265ee5a5f0e96d1a91111f4f27eb2f1edd8835a Mon Sep 17 00:00:00 2001 From: JUN FANG Date: Sat, 11 Apr 2015 09:33:23 -0700 Subject: Fix a heap buffer overflow issue in CPDF_CMap::GetNextChar Add a check to make sure offset is less than the size of string in the function of GetNextChar(). BUG=471651 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1067073003 --- core/include/fpdfapi/fpdf_resource.h | 141 +++++++++------------- core/src/fpdfapi/fpdf_font/font_int.h | 4 +- core/src/fpdfapi/fpdf_font/fpdf_font.cpp | 4 +- core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp | 10 +- core/src/fpdfapi/fpdf_page/fpdf_page.cpp | 4 +- core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp | 4 +- core/src/fpdftext/fpdf_text.cpp | 2 +- 7 files changed, 73 insertions(+), 96 deletions(-) diff --git a/core/include/fpdfapi/fpdf_resource.h b/core/include/fpdfapi/fpdf_resource.h index 54e1c97ee7..3050985567 100644 --- a/core/include/fpdfapi/fpdf_resource.h +++ b/core/include/fpdfapi/fpdf_resource.h @@ -164,11 +164,13 @@ public: return m_Font.GetFace(); } - - - virtual FX_DWORD GetNextChar(FX_LPCSTR pString, int& offset) const + virtual FX_DWORD GetNextChar(FX_LPCSTR pString, int nStrLen, int& offset) const { - return (FX_BYTE)pString[offset++]; + if (offset < 0 || nStrLen < 1) { + return 0; + } + FX_BYTE ch = offset < nStrLen ? pString[offset++] : pString[nStrLen-1]; + return static_cast(ch); } virtual int CountChar(FX_LPCSTR pString, int size) const @@ -512,99 +514,74 @@ public: virtual ~CPDF_CIDFont(); - FX_BOOL LoadGB2312(); - virtual int GlyphFromCharCode(FX_DWORD charcode, FX_BOOL *pVertGlyph = NULL); - virtual int GetCharWidthF(FX_DWORD charcode, int level = 0); - virtual void GetCharBBox(FX_DWORD charcode, FX_RECT& rect, int level = 0); - - FX_WORD CIDFromCharCode(FX_DWORD charcode) const; + FX_BOOL LoadGB2312(); + virtual int GlyphFromCharCode(FX_DWORD charcode, FX_BOOL *pVertGlyph = NULL); + virtual int GetCharWidthF(FX_DWORD charcode, int level = 0); + virtual void GetCharBBox(FX_DWORD charcode, FX_RECT& rect, int level = 0); + FX_WORD CIDFromCharCode(FX_DWORD charcode) const; - FX_BOOL IsTrueType() + FX_BOOL IsTrueType() { return !m_bType1; } + virtual FX_DWORD GetNextChar(const FX_LPCSTR pString, int nStrLen, int& offset) const override; + virtual int CountChar(const FX_LPCSTR pString, int size) const; + virtual int AppendChar(FX_LPSTR str, FX_DWORD charcode) const; + virtual int GetCharSize(FX_DWORD charcode) const; - virtual FX_DWORD GetNextChar(const FX_CHAR* pString, int& offset) const; - virtual int CountChar(const FX_CHAR* pString, int size) const; - virtual int AppendChar(FX_LPSTR str, FX_DWORD charcode) const; - virtual int GetCharSize(FX_DWORD charcode) const; - - - int GetCharset() const + int GetCharset() const { return m_Charset; } - FX_LPCBYTE GetCIDTransform(FX_WORD CID) const; - - + FX_LPCBYTE GetCIDTransform(FX_WORD CID) const; + virtual FX_BOOL IsVertWriting() const; + short GetVertWidth(FX_WORD CID) const; + void GetVertOrigin(FX_WORD CID, short& vx, short& vy) const; + virtual FX_BOOL IsUnicodeCompatible() const; + virtual FX_BOOL IsFontStyleFromCharCode(FX_DWORD charcode) const; - virtual FX_BOOL IsVertWriting() const; - - short GetVertWidth(FX_WORD CID) const; - - void GetVertOrigin(FX_WORD CID, short& vx, short& vy) const; - - virtual FX_BOOL IsUnicodeCompatible() const; - virtual FX_BOOL IsFontStyleFromCharCode(FX_DWORD charcode) const; protected: - friend class CPDF_Font; - virtual FX_BOOL _Load(); - virtual FX_WCHAR _UnicodeFromCharCode(FX_DWORD charcode) const; - virtual FX_DWORD _CharCodeFromUnicode(FX_WCHAR Unicode) const; - int GetGlyphIndex(FX_DWORD unicodeb, FX_BOOL *pVertGlyph); - - CPDF_CMap* m_pCMap; - - CPDF_CMap* m_pAllocatedCMap; - - CPDF_CID2UnicodeMap* m_pCID2UnicodeMap; - - int m_Charset; - - FX_BOOL m_bType1; - - CPDF_StreamAcc* m_pCIDToGIDMap; - FX_BOOL m_bCIDIsGID; - - - - FX_WORD m_DefaultWidth; - - FX_WORD* m_pAnsiWidths; - - FX_SMALL_RECT m_CharBBox[256]; - - CFX_DWordArray m_WidthList; - - short m_DefaultVY; - - short m_DefaultW1; - - CFX_DWordArray m_VertMetrics; - - - void LoadMetricsArray(CPDF_Array* pArray, CFX_DWordArray& result, int nElements); - - void LoadSubstFont(); + friend class CPDF_Font; + virtual FX_BOOL _Load(); + virtual FX_WCHAR _UnicodeFromCharCode(FX_DWORD charcode) const; + virtual FX_DWORD _CharCodeFromUnicode(FX_WCHAR Unicode) const; + int GetGlyphIndex(FX_DWORD unicodeb, FX_BOOL *pVertGlyph); + + CPDF_CMap* m_pCMap; + CPDF_CMap* m_pAllocatedCMap; + CPDF_CID2UnicodeMap* m_pCID2UnicodeMap; + int m_Charset; + FX_BOOL m_bType1; + CPDF_StreamAcc* m_pCIDToGIDMap; + FX_BOOL m_bCIDIsGID; + FX_WORD m_DefaultWidth; + FX_WORD* m_pAnsiWidths; + FX_SMALL_RECT m_CharBBox[256]; + CFX_DWordArray m_WidthList; + short m_DefaultVY; + short m_DefaultW1; + CFX_DWordArray m_VertMetrics; + + void LoadMetricsArray(CPDF_Array* pArray, CFX_DWordArray& result, int nElements); + void LoadSubstFont(); FX_BOOL m_bAdobeCourierStd; - - CFX_CTTGSUBTable* m_pTTGSUBTable; + CFX_CTTGSUBTable* m_pTTGSUBTable; }; -#define PDFCS_DEVICEGRAY 1 - -#define PDFCS_DEVICERGB 2 -#define PDFCS_DEVICECMYK 3 -#define PDFCS_CALGRAY 4 -#define PDFCS_CALRGB 5 -#define PDFCS_LAB 6 -#define PDFCS_ICCBASED 7 -#define PDFCS_SEPARATION 8 -#define PDFCS_DEVICEN 9 -#define PDFCS_INDEXED 10 -#define PDFCS_PATTERN 11 + +#define PDFCS_DEVICEGRAY 1 +#define PDFCS_DEVICERGB 2 +#define PDFCS_DEVICECMYK 3 +#define PDFCS_CALGRAY 4 +#define PDFCS_CALRGB 5 +#define PDFCS_LAB 6 +#define PDFCS_ICCBASED 7 +#define PDFCS_SEPARATION 8 +#define PDFCS_DEVICEN 9 +#define PDFCS_INDEXED 10 +#define PDFCS_PATTERN 11 class CPDF_ColorSpace : public CFX_Object { public: diff --git a/core/src/fpdfapi/fpdf_font/font_int.h b/core/src/fpdfapi/fpdf_font/font_int.h index 6048ba981d..43f4e302af 100644 --- a/core/src/fpdfapi/fpdf_font/font_int.h +++ b/core/src/fpdfapi/fpdf_font/font_int.h @@ -95,8 +95,8 @@ public: FX_WORD CIDFromCharCode(FX_DWORD charcode) const; FX_DWORD CharCodeFromCID(FX_WORD CID) const; int GetCharSize(FX_DWORD charcode) const; - FX_DWORD GetNextChar(const FX_CHAR* pString, int& offset) const; - int CountChar(const FX_CHAR* pString, int size) const; + FX_DWORD GetNextChar(FX_LPCSTR pString, int nStrLen, int& offset) const; + int CountChar(FX_LPCSTR pString, int size) const; int AppendChar(FX_LPSTR str, FX_DWORD charcode) const; typedef enum {OneByte, TwoBytes, MixedTwoBytes, MixedFourBytes} CodingScheme; protected: diff --git a/core/src/fpdfapi/fpdf_font/fpdf_font.cpp b/core/src/fpdfapi/fpdf_font/fpdf_font.cpp index dd646ca113..41bb95a89d 100644 --- a/core/src/fpdfapi/fpdf_font/fpdf_font.cpp +++ b/core/src/fpdfapi/fpdf_font/fpdf_font.cpp @@ -213,7 +213,7 @@ CFX_WideString CPDF_Font::DecodeString(const CFX_ByteString& str) const FX_LPCSTR src_buf = str; int src_pos = 0; while (src_pos < src_len) { - FX_DWORD charcode = GetNextChar(src_buf, src_pos); + FX_DWORD charcode = GetNextChar(src_buf, src_len, src_pos); CFX_WideString unicode = UnicodeFromCharCode(charcode); if (!unicode.IsEmpty()) { result += unicode; @@ -379,7 +379,7 @@ int CPDF_Font::GetStringWidth(FX_LPCSTR pString, int size) int offset = 0; int width = 0; while (offset < size) { - FX_DWORD charcode = GetNextChar(pString, offset); + FX_DWORD charcode = GetNextChar(pString, size, offset); width += GetCharWidthF(charcode); } return width; diff --git a/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp b/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp index 1ce91f9ed6..0d193e2189 100644 --- a/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp +++ b/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp @@ -491,7 +491,7 @@ static int _CheckCodeRange(FX_LPBYTE codes, int size, _CMap_CodeRange* pRanges, } return 0; } -FX_DWORD CPDF_CMap::GetNextChar(FX_LPCSTR pString, int& offset) const +FX_DWORD CPDF_CMap::GetNextChar(FX_LPCSTR pString, int nStrLen, int& offset) const { switch (m_CodingScheme) { case OneByte: @@ -524,7 +524,7 @@ FX_DWORD CPDF_CMap::GetNextChar(FX_LPCSTR pString, int& offset) const } return charcode; } - if (char_size == 4) { + if (char_size == 4 || offset == nStrLen) { return 0; } codes[char_size ++] = ((FX_LPBYTE)pString)[offset++]; @@ -576,7 +576,7 @@ int CPDF_CMap::CountChar(FX_LPCSTR pString, int size) const case MixedFourBytes: { int count = 0, offset = 0; while (offset < size) { - GetNextChar(pString, offset); + GetNextChar(pString, size, offset); count ++; } return count; @@ -1317,9 +1317,9 @@ int CPDF_CIDFont::GlyphFromCharCode(FX_DWORD charcode, FX_BOOL *pVertGlyph) FX_LPCBYTE pdata = m_pCIDToGIDMap->GetData() + byte_pos; return pdata[0] * 256 + pdata[1]; } -FX_DWORD CPDF_CIDFont::GetNextChar(FX_LPCSTR pString, int& offset) const +FX_DWORD CPDF_CIDFont::GetNextChar(FX_LPCSTR pString, int nStrLen, int& offset) const { - return m_pCMap->GetNextChar(pString, offset); + return m_pCMap->GetNextChar(pString, nStrLen, offset); } int CPDF_CIDFont::GetCharSize(FX_DWORD charcode) const { diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page.cpp index 590a01aa6d..ccdfb9fcbb 100644 --- a/core/src/fpdfapi/fpdf_page/fpdf_page.cpp +++ b/core/src/fpdfapi/fpdf_page/fpdf_page.cpp @@ -247,7 +247,7 @@ void CPDF_TextObject::SetSegments(const CFX_ByteString* pStrs, FX_FLOAT* pKernin FX_LPCSTR segment = pStrs[i]; int offset = 0, len = pStrs[i].GetLength(); while (offset < len) { - m_pCharCodes[index++] = pFont->GetNextChar(segment, offset); + m_pCharCodes[index++] = pFont->GetNextChar(segment, len, offset); } if (i != nsegs - 1) { m_pCharPos[index - 1] = pKerning[i]; @@ -256,7 +256,7 @@ void CPDF_TextObject::SetSegments(const CFX_ByteString* pStrs, FX_FLOAT* pKernin } } else { int offset = 0; - m_pCharCodes = (FX_DWORD*)(FX_UINTPTR)pFont->GetNextChar(pStrs[0], offset); + m_pCharCodes = (FX_DWORD*)(FX_UINTPTR)pFont->GetNextChar(pStrs[0], pStrs[0].GetLength(), offset); } } void CPDF_TextObject::SetText(const CFX_ByteString& str) diff --git a/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp b/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp index f99f7cec38..0ea7ea1672 100644 --- a/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp +++ b/core/src/fpdfapi/fpdf_render/fpdf_render_text.cpp @@ -613,7 +613,7 @@ void CPDF_TextRenderer::DrawTextString(CFX_RenderDevice* pDevice, FX_FLOAT origi FX_DWORD* pCharCodes; FX_FLOAT* pCharPos; if (nChars == 1) { - charcode = pFont->GetNextChar(str, offset); + charcode = pFont->GetNextChar(str, str.GetLength(), offset); pCharCodes = (FX_DWORD*)(FX_UINTPTR)charcode; pCharPos = NULL; } else { @@ -621,7 +621,7 @@ void CPDF_TextRenderer::DrawTextString(CFX_RenderDevice* pDevice, FX_FLOAT origi pCharPos = FX_Alloc(FX_FLOAT, nChars - 1); FX_FLOAT cur_pos = 0; for (int i = 0; i < nChars; i ++) { - pCharCodes[i] = pFont->GetNextChar(str, offset); + pCharCodes[i] = pFont->GetNextChar(str, str.GetLength(), offset); if (i) { pCharPos[i - 1] = cur_pos; } diff --git a/core/src/fpdftext/fpdf_text.cpp b/core/src/fpdftext/fpdf_text.cpp index a4a124d5e6..d6d6de9a83 100644 --- a/core/src/fpdftext/fpdf_text.cpp +++ b/core/src/fpdftext/fpdf_text.cpp @@ -181,7 +181,7 @@ CTextBaseLine* CTextPage::InsertTextBox(CTextBaseLine* pBaseLine, FX_FLOAT basey FX_LPCSTR pStr = str; int len = str.GetLength(), offset = 0; while (offset < len) { - FX_DWORD ch = pFont->GetNextChar(pStr, offset); + FX_DWORD ch = pFont->GetNextChar(pStr, len, offset); CFX_WideString unicode_str = pFont->UnicodeFromCharCode(ch); if (unicode_str.IsEmpty()) { text += (FX_WCHAR)ch; -- cgit v1.2.3