From bb2b1e72929fb78f9d5b64b3732ed9b5cc93af4e Mon Sep 17 00:00:00 2001
From: John Abd-El-Malek <jam@chromium.org>
Date: Wed, 4 Jun 2014 14:42:19 -0700
Subject: Use unsigned type for iteration to avoid int overflow.

If src_len in PDF_DecodeText is larger than 2^31,
2 * max_chars will overflow and the function will produce
an incorrect result.

BUG=none
R=bo_xu@foxitsoftware.com

Review URL: https://codereview.chromium.org/306923006
---
 core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'core/src')

diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp
index 23126365a0..6838f739fa 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp
@@ -402,7 +402,7 @@ CFX_WideString PDF_DecodeText(FX_LPCBYTE src_data, FX_DWORD src_len, CFX_CharMap
     CFX_WideString result;
     if (src_len >= 2 && ((src_data[0] == 0xfe && src_data[1] == 0xff) || (src_data[0] == 0xff && src_data[1] == 0xfe))) {
         FX_BOOL bBE = src_data[0] == 0xfe;
-        int max_chars = (src_len - 2) / 2;
+        FX_DWORD max_chars = (src_len - 2) / 2;
         if (!max_chars) {
             return result;
         }
@@ -412,7 +412,7 @@ CFX_WideString PDF_DecodeText(FX_LPCBYTE src_data, FX_DWORD src_len, CFX_CharMap
         FX_LPWSTR dest_buf = result.GetBuffer(max_chars);
         FX_LPCBYTE uni_str = src_data + 2;
         int dest_pos = 0;
-        for (int i = 0; i < max_chars * 2; i += 2) {
+        for (FX_DWORD i = 0; i < max_chars * 2; i += 2) {
             FX_WORD unicode = bBE ? (uni_str[i] << 8 | uni_str[i + 1]) : (uni_str[i + 1] << 8 | uni_str[i]);
             if (unicode == 0x1b) {
                 i += 2;
-- 
cgit v1.2.3