From 8dee6cab8f10a257d3b551ede6ca85466bf0bac7 Mon Sep 17 00:00:00 2001 From: JUN FANG Date: Wed, 30 Jul 2014 13:46:39 -0700 Subject: Fix the potential integer overflow from 'offset+size' in extension.h and fpdfview.cpp BUG=397258 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/419063002 --- fpdfsdk/src/fpdfview.cpp | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) (limited to 'fpdfsdk/src') diff --git a/fpdfsdk/src/fpdfview.cpp b/fpdfsdk/src/fpdfview.cpp index b950ed8641..63d4fbdcde 100644 --- a/fpdfsdk/src/fpdfview.cpp +++ b/fpdfsdk/src/fpdfview.cpp @@ -9,7 +9,7 @@ #include "../include/fsdk_rendercontext.h" #include "../include/fpdf_progressive.h" #include "../include/fpdf_ext.h" - +#include "../../third_party/numerics/safe_conversions_impl.h" CPDF_CustomAccess::CPDF_CustomAccess(FPDF_FILEACCESS* pFileAccess) { @@ -35,18 +35,27 @@ FX_BOOL CPDF_CustomAccess::GetByte(FX_DWORD pos, FX_BYTE& ch) FX_BOOL CPDF_CustomAccess::GetBlock(FX_DWORD pos, FX_LPBYTE pBuf, FX_DWORD size) { - if (pos + size > m_FileAccess.m_FileLen) return FALSE; + FX_SAFE_DWORD newPos = size; + newPos += pos; + if (!newPos.IsValid() || newPos.ValueOrDie() >= m_FileAccess.m_FileLen) { + return FALSE; + } + return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, pos, pBuf, size); } FX_BOOL CPDF_CustomAccess::ReadBlock(void* buffer, FX_FILESIZE offset, size_t size) { - // m_FileAccess = *pFileAccess; - // m_BufferOffset = (FX_DWORD)-1; - if (offset + size > m_FileAccess.m_FileLen) return FALSE; - return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, offset,(FX_LPBYTE) buffer, size); + if (offset < 0) { + return FALSE; + } + FX_SAFE_FILESIZE newPos = base::checked_cast(size); + newPos += offset; + if (!newPos.IsValid() || newPos.ValueOrDie() >= m_FileAccess.m_FileLen) { + return FALSE; + } - // return FALSE; + return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, offset,(FX_LPBYTE) buffer, size); } //0 bit: FPDF_POLICY_MACHINETIME_ACCESS @@ -292,8 +301,15 @@ public: virtual FX_FILESIZE GetSize() {return m_size;} virtual FX_BOOL ReadBlock(void* buffer, FX_FILESIZE offset, size_t size) { - if(offset+size > (FX_DWORD)m_size) return FALSE; + if (offset < 0) { + return FALSE; + } + + FX_SAFE_FILESIZE newPos = base::checked_cast(size); + newPos += offset; + if (!newPos.IsValid() || newPos.ValueOrDie() >= (FX_DWORD)m_size) return FALSE; FXSYS_memcpy(buffer, m_pBuf+offset, size); + return TRUE; } private: -- cgit v1.2.3