From 22eeccb34f91f9932f7cec295bcaf641ba249e3a Mon Sep 17 00:00:00 2001
From: dsinclair <dsinclair@chromium.org>
Date: Thu, 11 Aug 2016 07:50:08 -0700
Subject: Guard against undefined shift.

This Cl fixes the CFDE_XMLSyntaxParser::ParseTextChar() to handle entities
where the value goes negative. Currently this could cause an undefined-shift
as due to the (ch << 4) calls. Instead, detect if the value has gone negative
and return a space character.

BUG=chromium:603489

Review-Url: https://codereview.chromium.org/2223823003
---
 xfa/fde/xml/fde_xml_imp.cpp | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

(limited to 'xfa/fde/xml/fde_xml_imp.cpp')

diff --git a/xfa/fde/xml/fde_xml_imp.cpp b/xfa/fde/xml/fde_xml_imp.cpp
index 4c6dcf989c..8e14f021ce 100644
--- a/xfa/fde/xml/fde_xml_imp.cpp
+++ b/xfa/fde/xml/fde_xml_imp.cpp
@@ -14,6 +14,8 @@
 
 namespace {
 
+const uint32_t kMaxCharRange = 0x10ffff;
+
 const uint16_t g_XMLValidCharRange[][2] = {{0x09, 0x09},
                                            {0x0A, 0x0A},
                                            {0x0D, 0x0D},
@@ -1838,23 +1840,23 @@ FX_FILESIZE CFDE_XMLSyntaxParser::GetCurrentBinaryPos() const {
   return m_iParsedBytes + nDstLen;
 }
 
-void CFDE_XMLSyntaxParser::ParseTextChar(FX_WCHAR ch) {
+void CFDE_XMLSyntaxParser::ParseTextChar(FX_WCHAR character) {
   if (m_iIndexInBlock == m_iAllocStep) {
     m_pCurrentBlock = m_BlockBuffer.GetAvailableBlock(m_iIndexInBlock);
     if (!m_pCurrentBlock) {
       return;
     }
   }
-  m_pCurrentBlock[m_iIndexInBlock++] = ch;
+  m_pCurrentBlock[m_iIndexInBlock++] = character;
   m_iDataLength++;
-  if (m_iEntityStart > -1 && ch == L';') {
+  if (m_iEntityStart > -1 && character == L';') {
     CFX_WideString csEntity;
     m_BlockBuffer.GetTextData(csEntity, m_iEntityStart + 1,
                               (m_iDataLength - 1) - m_iEntityStart - 1);
     int32_t iLen = csEntity.GetLength();
     if (iLen > 0) {
       if (csEntity[0] == L'#') {
-        ch = 0;
+        uint32_t ch = 0;
         FX_WCHAR w;
         if (iLen > 1 && csEntity[1] == L'x') {
           for (int32_t i = 2; i < iLen; i++) {
@@ -1872,14 +1874,17 @@ void CFDE_XMLSyntaxParser::ParseTextChar(FX_WCHAR ch) {
         } else {
           for (int32_t i = 1; i < iLen; i++) {
             w = csEntity[i];
-            if (w < L'0' || w > L'9') {
+            if (w < L'0' || w > L'9')
               break;
-            }
             ch = ch * 10 + w - L'0';
           }
         }
-        if (ch != 0) {
-          m_BlockBuffer.SetTextChar(m_iEntityStart, ch);
+        if (ch > kMaxCharRange)
+          ch = ' ';
+
+        character = static_cast<FX_WCHAR>(ch);
+        if (character != 0) {
+          m_BlockBuffer.SetTextChar(m_iEntityStart, character);
           m_iEntityStart++;
         }
       } else {
@@ -1905,7 +1910,7 @@ void CFDE_XMLSyntaxParser::ParseTextChar(FX_WCHAR ch) {
     m_pCurrentBlock = m_BlockBuffer.GetAvailableBlock(m_iIndexInBlock);
     m_iEntityStart = -1;
   } else {
-    if (m_iEntityStart < 0 && ch == L'&') {
+    if (m_iEntityStart < 0 && character == L'&') {
       m_iEntityStart = m_iDataLength - 1;
     }
   }
-- 
cgit v1.2.3