From 4796acb896dabefe6d9a2dbe6d8a61ff7e086dfd Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Wed, 11 Apr 2018 19:56:43 +0000
Subject: Make cxfa_fmlexer.cpp resilient to null strings

As currently written, the calculation of m_end will underflow
when passed a {nullptr, 0} pair as input, and m_end becomes
essentially unbounded.

Change-Id: Id3249b201c446555d9aa4fa04e6a3c94a357cd99
Reviewed-on: https://pdfium-review.googlesource.com/30230
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
---
 xfa/fxfa/fm2js/cxfa_fmlexer.cpp          | 22 +++++++++++-----------
 xfa/fxfa/fm2js/cxfa_fmlexer_unittest.cpp |  7 +++++++
 2 files changed, 18 insertions(+), 11 deletions(-)

(limited to 'xfa/fxfa')

diff --git a/xfa/fxfa/fm2js/cxfa_fmlexer.cpp b/xfa/fxfa/fm2js/cxfa_fmlexer.cpp
index 3559fb7aeb..72fe0f2a01 100644
--- a/xfa/fxfa/fm2js/cxfa_fmlexer.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fmlexer.cpp
@@ -130,7 +130,7 @@ WideString CXFA_FMToken::ToDebugString() const {
 
 CXFA_FMLexer::CXFA_FMLexer(const WideStringView& wsFormCalc)
     : m_cursor(wsFormCalc.unterminated_c_str()),
-      m_end(m_cursor + wsFormCalc.GetLength() - 1),
+      m_end(m_cursor + wsFormCalc.GetLength()),
       m_lexer_error(false) {}
 
 CXFA_FMLexer::~CXFA_FMLexer() {}
@@ -139,7 +139,7 @@ CXFA_FMToken CXFA_FMLexer::NextToken() {
   if (m_lexer_error)
     return CXFA_FMToken();
 
-  while (m_cursor <= m_end && *m_cursor) {
+  while (m_cursor < m_end && *m_cursor) {
     if (!IsFormCalcCharacter(*m_cursor)) {
       RaiseError();
       return CXFA_FMToken();
@@ -170,7 +170,7 @@ CXFA_FMToken CXFA_FMLexer::NextToken() {
         return AdvanceForNumber();
       case '=':
         ++m_cursor;
-        if (m_cursor > m_end)
+        if (m_cursor >= m_end)
           return CXFA_FMToken(TOKassign);
 
         if (!IsFormCalcCharacter(*m_cursor)) {
@@ -184,7 +184,7 @@ CXFA_FMToken CXFA_FMLexer::NextToken() {
         return CXFA_FMToken(TOKassign);
       case '<':
         ++m_cursor;
-        if (m_cursor > m_end)
+        if (m_cursor >= m_end)
           return CXFA_FMToken(TOKlt);
 
         if (!IsFormCalcCharacter(*m_cursor)) {
@@ -202,7 +202,7 @@ CXFA_FMToken CXFA_FMLexer::NextToken() {
         return CXFA_FMToken(TOKlt);
       case '>':
         ++m_cursor;
-        if (m_cursor > m_end)
+        if (m_cursor >= m_end)
           return CXFA_FMToken(TOKgt);
 
         if (!IsFormCalcCharacter(*m_cursor)) {
@@ -246,7 +246,7 @@ CXFA_FMToken CXFA_FMLexer::NextToken() {
         return CXFA_FMToken(TOKmul);
       case '/': {
         ++m_cursor;
-        if (m_cursor > m_end)
+        if (m_cursor >= m_end)
           return CXFA_FMToken(TOKdiv);
 
         if (!IsFormCalcCharacter(*m_cursor)) {
@@ -261,7 +261,7 @@ CXFA_FMToken CXFA_FMLexer::NextToken() {
       }
       case '.':
         ++m_cursor;
-        if (m_cursor > m_end)
+        if (m_cursor >= m_end)
           return CXFA_FMToken(TOKdot);
 
         if (!IsFormCalcCharacter(*m_cursor)) {
@@ -323,7 +323,7 @@ CXFA_FMToken CXFA_FMLexer::AdvanceForString() {
 
   const wchar_t* start = m_cursor;
   ++m_cursor;
-  while (m_cursor <= m_end && *m_cursor) {
+  while (m_cursor < m_end && *m_cursor) {
     if (!IsFormCalcCharacter(*m_cursor))
       break;
 
@@ -331,7 +331,7 @@ CXFA_FMToken CXFA_FMLexer::AdvanceForString() {
       // Check for escaped "s, i.e. "".
       ++m_cursor;
       // If the end of the input has been reached it was not escaped.
-      if (m_cursor > m_end) {
+      if (m_cursor >= m_end) {
         token.m_string =
             WideStringView(start, static_cast<size_t>(m_cursor - start));
         return token;
@@ -357,7 +357,7 @@ CXFA_FMToken CXFA_FMLexer::AdvanceForString() {
 CXFA_FMToken CXFA_FMLexer::AdvanceForIdentifier() {
   const wchar_t* start = m_cursor;
   ++m_cursor;
-  while (m_cursor <= m_end && *m_cursor) {
+  while (m_cursor < m_end && *m_cursor) {
     if (!IsFormCalcCharacter(*m_cursor)) {
       RaiseError();
       return CXFA_FMToken();
@@ -377,7 +377,7 @@ CXFA_FMToken CXFA_FMLexer::AdvanceForIdentifier() {
 
 void CXFA_FMLexer::AdvanceForComment() {
   m_cursor++;
-  while (m_cursor <= m_end && *m_cursor) {
+  while (m_cursor < m_end && *m_cursor) {
     if (!IsFormCalcCharacter(*m_cursor)) {
       RaiseError();
       return;
diff --git a/xfa/fxfa/fm2js/cxfa_fmlexer_unittest.cpp b/xfa/fxfa/fm2js/cxfa_fmlexer_unittest.cpp
index 00dc494582..248b9fead6 100644
--- a/xfa/fxfa/fm2js/cxfa_fmlexer_unittest.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fmlexer_unittest.cpp
@@ -10,6 +10,13 @@
 #include "testing/test_support.h"
 #include "third_party/base/ptr_util.h"
 
+TEST(CXFA_FMLexerTest, NullString) {
+  WideStringView null_string;
+  CXFA_FMLexer lexer(null_string);
+  CXFA_FMToken token = lexer.NextToken();
+  EXPECT_EQ(TOKeof, token.m_type);
+}
+
 TEST(CXFA_FMLexerTest, EmptyString) {
   CXFA_FMLexer lexer(L"");
   CXFA_FMToken token = lexer.NextToken();
-- 
cgit v1.2.3