commit 234ec6cb860dc1b30bde876152d5c828b0e94594
author Tom Sepez <tsepez@chromium.org> Thu Jul 20 18:40:49 2023 +0000
committer Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Thu Jul 20 18:40:49 2023 +0000
tree e2eb0a57ac9b4d893d7d1f81de23bd51f27e22d1
parent a164c9bec8e4e74c597d77ca83d6a1ed7b438c7d

Avoid misaligned loads in LoadGlobalPersistentVariablesFromBuffer().

Chrome doesn't use any of this code, but the pdfium_unittests will
trip a warning about misaligned access under a full-up ubsan build.
Fix this just for the sake of quieting the bots.

The problem is that once a fixed header is extracted from a buffer,
the remaining data is packed and can't be expected to align on machine
words. The buffer was essentially constructed by copying in this manner
rather than by assignment, so reconstruct its elements in the same way.

Bounds checking has always been dicey as it is assumed that the
data is coming from local storage as written by us.

Bug: pdfium:2066
Change-Id: Idc9edcef50cfee5899a1fb82c39a1299399382cc
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/110030
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

fxjs/cfx_globaldata.cpp

diff --git a/fxjs/cfx_globaldata.cpp b/fxjs/cfx_globaldata.cpp
index 1d25398..6d6efd5 100644
--- a/fxjs/cfx_globaldata.cpp
+++ b/fxjs/cfx_globaldata.cpp
@@ -292,10 +292,12 @@
     return false;
 
   for (int32_t i = 0, sz = dwCount; i < sz; i++) {
-    if (p > buffer.end())
+    if (p + sizeof(uint32_t) >= buffer.end()) {
       break;
+    }
 
-    uint32_t dwNameLen = *((uint32_t*)p);
+    uint32_t dwNameLen = 0;
+    memcpy(&dwNameLen, p, sizeof(uint32_t));
     p += sizeof(uint32_t);
     if (p + dwNameLen > buffer.end())
       break;
@@ -303,21 +305,25 @@
     ByteString sEntry = ByteString(p, dwNameLen);
     p += sizeof(char) * dwNameLen;
 
-    CFX_Value::DataType wDataType =
-        static_cast<CFX_Value::DataType>(*((uint16_t*)p));
+    uint16_t wDataType = 0;
+    memcpy(&wDataType, p, sizeof(uint16_t));
     p += sizeof(uint16_t);
 
-    switch (wDataType) {
+    CFX_Value::DataType eDataType = static_cast<CFX_Value::DataType>(wDataType);
+
+    switch (eDataType) {
       case CFX_Value::DataType::kNumber: {
         double dData = 0;
         switch (wVersion) {
           case 1: {
-            uint32_t dwData = *((uint32_t*)p);
+            uint32_t dwData = 0;
+            memcpy(&dwData, p, sizeof(uint32_t));
             p += sizeof(uint32_t);
             dData = dwData;
           } break;
           case 2: {
-            dData = *((double*)p);
+            dData = 0;
+            memcpy(&dData, p, sizeof(double));
             p += sizeof(double);
           } break;
         }
@@ -325,13 +331,15 @@
         SetGlobalVariablePersistent(sEntry, true);
       } break;
       case CFX_Value::DataType::kBoolean: {
-        uint16_t wData = *((uint16_t*)p);
+        uint16_t wData = 0;
+        memcpy(&wData, p, sizeof(uint16_t));
         p += sizeof(uint16_t);
         SetGlobalVariableBoolean(sEntry, (bool)(wData == 1));
         SetGlobalVariablePersistent(sEntry, true);
       } break;
       case CFX_Value::DataType::kString: {
-        uint32_t dwLength = *((uint32_t*)p);
+        uint32_t dwLength = 0;
+        memcpy(&dwLength, p, sizeof(uint32_t));
         p += sizeof(uint32_t);
         if (p + dwLength > buffer.end())
           break;