From 0c99829cc38ed2191a71d16c34278e391411aa1b Mon Sep 17 00:00:00 2001
From: Dan Sinclair <dsinclair@chromium.org>
Date: Thu, 13 Jul 2017 09:58:52 -0400
Subject: Fix invalid write for util.printf

This CL fixes and invalid WRITE triggered by calling util.printf. We need to
verify that the integer format will be less then 260 characters.

Bug: chromium:740166
Change-Id: I1c9047101780582da5f39088568727e2c8b4c2d2
Reviewed-on: https://pdfium-review.googlesource.com/7630
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
---
 fpdfsdk/javascript/util.cpp | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

(limited to 'fpdfsdk/javascript/util.cpp')

diff --git a/fpdfsdk/javascript/util.cpp b/fpdfsdk/javascript/util.cpp
index 100a5caab4..3338a3a126 100644
--- a/fpdfsdk/javascript/util.cpp
+++ b/fpdfsdk/javascript/util.cpp
@@ -150,9 +150,28 @@ bool util::printf(CJS_Runtime* pRuntime,
 
     CFX_WideString strSegment;
     switch (ParseDataType(&c_strFormat)) {
-      case UTIL_INT:
+      case UTIL_INT: {
+        int dot = c_strFormat.find(L".", 0);
+        if (dot != -1) {
+          size_t len = 0;
+          for (size_t i = dot + 1; i < c_strFormat.length(); ++i) {
+            wchar_t c = c_strFormat[i];
+            if (std::iswdigit(c)) {
+              ++len;
+              continue;
+            }
+            break;
+          }
+
+          // Windows has a max of ~261 characters in the format string of
+          // the form %0.261x. We're just going to bail out if the format
+          // would be over 3 or more characters long.
+          if (len > 2)
+            return false;
+        }
         strSegment.Format(c_strFormat.c_str(), params[iIndex].ToInt(pRuntime));
         break;
+      }
       case UTIL_DOUBLE:
         strSegment.Format(c_strFormat.c_str(),
                           params[iIndex].ToDouble(pRuntime));
-- 
cgit v1.2.3