commit d87c5c21bdfc94d5ebb4650d762995c30bfb356b
author Lei Zhang <thestig@chromium.org> Wed Mar 02 20:21:09 2022 +0000
committer Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Wed Mar 02 20:21:09 2022 +0000
tree 29910519404fdf6f3950051eb6c9663e86b059c3
parent 6d041c72e4e6857642eafbb90c6633d2eafae9d3

Avoid UBSAN error in CFXJSE_FormCalcContext::GenerateSomExpression().

Avoid the undefined behavior and default to 0.

Bug: chromium:1301044
Change-Id: Idcbeea75921569b761e5d87bcabb5eadabe5458b
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/91054
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

fxjs/xfa/cfxjse_formcalc_context.cpp

diff --git a/fxjs/xfa/cfxjse_formcalc_context.cpp b/fxjs/xfa/cfxjse_formcalc_context.cpp
index 4f7a546..a18bbe0 100644
--- a/fxjs/xfa/cfxjse_formcalc_context.cpp
+++ b/fxjs/xfa/cfxjse_formcalc_context.cpp
@@ -21,6 +21,7 @@
 #include "core/fxcrt/fx_extension.h"
 #include "core/fxcrt/fx_memory_wrappers.h"
 #include "core/fxcrt/fx_random.h"
+#include "core/fxcrt/fx_safe_types.h"
 #include "fxjs/fxv8.h"
 #include "fxjs/xfa/cfxjse_class.h"
 #include "fxjs/xfa/cfxjse_context.h"
@@ -5271,8 +5272,11 @@
     DCHECK_EQ(iIndexFlags, 3);
     bsSomExp += bNegative ? "[" : "[-";
   }
-  iIndexValue = bNegative ? 0 - iIndexValue : iIndexValue;
-  bsSomExp += ByteString::FormatInteger(iIndexValue);
+
+  FX_SAFE_INT32 safe_index = iIndexValue;
+  if (bNegative)
+    safe_index = -safe_index;
+  bsSomExp += ByteString::FormatInteger(safe_index.ValueOrDefault(0));
   bsSomExp += "]";
   return bsSomExp;
 }

fxjs/xfa/cfxjse_formcalc_context_unittest.cpp

diff --git a/fxjs/xfa/cfxjse_formcalc_context_unittest.cpp b/fxjs/xfa/cfxjse_formcalc_context_unittest.cpp
index 1a6abb5..7a4404f 100644
--- a/fxjs/xfa/cfxjse_formcalc_context_unittest.cpp
+++ b/fxjs/xfa/cfxjse_formcalc_context_unittest.cpp
@@ -48,12 +48,9 @@
                                                          /*bIsStar=*/false);
   EXPECT_EQ(result, "barb[+2147483647]");
 
-#if 0
-  // TODO(crbug.com/1301044): Fix and enable.
   result = CFXJSE_FormCalcContext::GenerateSomExpression(
       "bart", 2, -2147483648, /*bIsStar=*/false);
-  EXPECT_EQ(result, "bart[--2147483648]");
-#endif
+  EXPECT_EQ(result, "bart[-0]");
 
   result = CFXJSE_FormCalcContext::GenerateSomExpression("bark", 3, 0,
                                                          /*bIsStar=*/false);
@@ -71,10 +68,7 @@
                                                          /*bIsStar=*/false);
   EXPECT_EQ(result, "cars[-2147483647]");
 
-#if 0
-  // TODO(crbug.com/1301044): Fix and enable.
   result = CFXJSE_FormCalcContext::GenerateSomExpression(
       "mars", 3, -2147483648, /*bIsStar=*/false);
-  EXPECT_EQ(result, "mars[-2147483648]");
-#endif
+  EXPECT_EQ(result, "mars[0]");
 }