From f265ee5a5f0e96d1a91111f4f27eb2f1edd8835a Mon Sep 17 00:00:00 2001 From: JUN FANG Date: Sat, 11 Apr 2015 09:33:23 -0700 Subject: Fix a heap buffer overflow issue in CPDF_CMap::GetNextChar Add a check to make sure offset is less than the size of string in the function of GetNextChar(). BUG=471651 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1067073003 --- core/src/fpdfapi/fpdf_font/font_int.h | 4 ++-- core/src/fpdfapi/fpdf_font/fpdf_font.cpp | 4 ++-- core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp | 10 +++++----- 3 files changed, 9 insertions(+), 9 deletions(-) (limited to 'core/src/fpdfapi/fpdf_font') diff --git a/core/src/fpdfapi/fpdf_font/font_int.h b/core/src/fpdfapi/fpdf_font/font_int.h index 6048ba981d..43f4e302af 100644 --- a/core/src/fpdfapi/fpdf_font/font_int.h +++ b/core/src/fpdfapi/fpdf_font/font_int.h @@ -95,8 +95,8 @@ public: FX_WORD CIDFromCharCode(FX_DWORD charcode) const; FX_DWORD CharCodeFromCID(FX_WORD CID) const; int GetCharSize(FX_DWORD charcode) const; - FX_DWORD GetNextChar(const FX_CHAR* pString, int& offset) const; - int CountChar(const FX_CHAR* pString, int size) const; + FX_DWORD GetNextChar(FX_LPCSTR pString, int nStrLen, int& offset) const; + int CountChar(FX_LPCSTR pString, int size) const; int AppendChar(FX_LPSTR str, FX_DWORD charcode) const; typedef enum {OneByte, TwoBytes, MixedTwoBytes, MixedFourBytes} CodingScheme; protected: diff --git a/core/src/fpdfapi/fpdf_font/fpdf_font.cpp b/core/src/fpdfapi/fpdf_font/fpdf_font.cpp index dd646ca113..41bb95a89d 100644 --- a/core/src/fpdfapi/fpdf_font/fpdf_font.cpp +++ b/core/src/fpdfapi/fpdf_font/fpdf_font.cpp @@ -213,7 +213,7 @@ CFX_WideString CPDF_Font::DecodeString(const CFX_ByteString& str) const FX_LPCSTR src_buf = str; int src_pos = 0; while (src_pos < src_len) { - FX_DWORD charcode = GetNextChar(src_buf, src_pos); + FX_DWORD charcode = GetNextChar(src_buf, src_len, src_pos); CFX_WideString unicode = UnicodeFromCharCode(charcode); if (!unicode.IsEmpty()) { result += unicode; @@ -379,7 +379,7 @@ int CPDF_Font::GetStringWidth(FX_LPCSTR pString, int size) int offset = 0; int width = 0; while (offset < size) { - FX_DWORD charcode = GetNextChar(pString, offset); + FX_DWORD charcode = GetNextChar(pString, size, offset); width += GetCharWidthF(charcode); } return width; diff --git a/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp b/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp index 1ce91f9ed6..0d193e2189 100644 --- a/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp +++ b/core/src/fpdfapi/fpdf_font/fpdf_font_cid.cpp @@ -491,7 +491,7 @@ static int _CheckCodeRange(FX_LPBYTE codes, int size, _CMap_CodeRange* pRanges, } return 0; } -FX_DWORD CPDF_CMap::GetNextChar(FX_LPCSTR pString, int& offset) const +FX_DWORD CPDF_CMap::GetNextChar(FX_LPCSTR pString, int nStrLen, int& offset) const { switch (m_CodingScheme) { case OneByte: @@ -524,7 +524,7 @@ FX_DWORD CPDF_CMap::GetNextChar(FX_LPCSTR pString, int& offset) const } return charcode; } - if (char_size == 4) { + if (char_size == 4 || offset == nStrLen) { return 0; } codes[char_size ++] = ((FX_LPBYTE)pString)[offset++]; @@ -576,7 +576,7 @@ int CPDF_CMap::CountChar(FX_LPCSTR pString, int size) const case MixedFourBytes: { int count = 0, offset = 0; while (offset < size) { - GetNextChar(pString, offset); + GetNextChar(pString, size, offset); count ++; } return count; @@ -1317,9 +1317,9 @@ int CPDF_CIDFont::GlyphFromCharCode(FX_DWORD charcode, FX_BOOL *pVertGlyph) FX_LPCBYTE pdata = m_pCIDToGIDMap->GetData() + byte_pos; return pdata[0] * 256 + pdata[1]; } -FX_DWORD CPDF_CIDFont::GetNextChar(FX_LPCSTR pString, int& offset) const +FX_DWORD CPDF_CIDFont::GetNextChar(FX_LPCSTR pString, int nStrLen, int& offset) const { - return m_pCMap->GetNextChar(pString, offset); + return m_pCMap->GetNextChar(pString, nStrLen, offset); } int CPDF_CIDFont::GetCharSize(FX_DWORD charcode) const { -- cgit v1.2.3