From 89f9ee3b8f3b4756f05ff48055f4bff7353201e2 Mon Sep 17 00:00:00 2001 From: npm Date: Tue, 4 Oct 2016 10:15:55 -0700 Subject: Use FX_SAFE_UINT32 on CPDF_ToUnicodeMap::Load m_Map maps to unsigned integer, but m_MultiCharBuf.GetLength() returns an integer. There will be integer overflow if the length is big, and UBSAN will complain. Thus, using FX_SAFE_UINT32. Replacing with uint32 would work as well: the point is to consider the length as uint instead of int. BUG=chromium:652232 Review-Url: https://codereview.chromium.org/2393573002 --- core/fpdfapi/fpdf_font/fpdf_font.cpp | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'core/fpdfapi') diff --git a/core/fpdfapi/fpdf_font/fpdf_font.cpp b/core/fpdfapi/fpdf_font/fpdf_font.cpp index cff5223a00..825cd61b52 100644 --- a/core/fpdfapi/fpdf_font/fpdf_font.cpp +++ b/core/fpdfapi/fpdf_font/fpdf_font.cpp @@ -18,6 +18,7 @@ #include "core/fpdfapi/fpdf_parser/cpdf_simple_parser.h" #include "core/fpdfapi/fpdf_parser/cpdf_stream_acc.h" #include "core/fxcrt/fx_ext.h" +#include "core/fxcrt/fx_safe_types.h" #include "core/fxge/fx_freetype.h" #include "third_party/base/numerics/safe_conversions.h" #include "third_party/base/stl_util.h" @@ -224,7 +225,10 @@ void CPDF_ToUnicodeMap::Load(CPDF_Stream* pStream) { if (len == 1) { m_Map[srccode] = destcode.GetAt(0); } else { - m_Map[srccode] = m_MultiCharBuf.GetLength() * 0x10000 + 0xffff; + FX_SAFE_UINT32 uni = m_MultiCharBuf.GetLength(); + uni *= 0x10000; + uni += 0xffff; + m_Map[srccode] = uni.ValueOrDie(); m_MultiCharBuf.AppendChar(destcode.GetLength()); m_MultiCharBuf << destcode; } @@ -255,7 +259,10 @@ void CPDF_ToUnicodeMap::Load(CPDF_Stream* pStream) { if (len == 1) { m_Map[code] = destcode.GetAt(0); } else { - m_Map[code] = m_MultiCharBuf.GetLength() * 0x10000 + 0xffff; + FX_SAFE_UINT32 uni = m_MultiCharBuf.GetLength(); + uni *= 0x10000; + uni += 0xffff; + m_Map[code] = uni.ValueOrDie(); m_MultiCharBuf.AppendChar(destcode.GetLength()); m_MultiCharBuf << destcode; } @@ -278,7 +285,10 @@ void CPDF_ToUnicodeMap::Load(CPDF_Stream* pStream) { } else { retcode = StringDataAdd(destcode); } - m_Map[code] = m_MultiCharBuf.GetLength() * 0x10000 + 0xffff; + FX_SAFE_UINT32 uni = m_MultiCharBuf.GetLength(); + uni *= 0x10000; + uni += 0xffff; + m_Map[code] = uni.ValueOrDie(); m_MultiCharBuf.AppendChar(retcode.GetLength()); m_MultiCharBuf << retcode; destcode = retcode; -- cgit v1.2.3