Bound acess to g_ arrays in BC_PDF417HighLevelEncoder.cpp
Speculative fix for wild read reported in associated bug.
Also fix loop when count is 0.
Bug: chromium:906465
Change-Id: I119808d7624bf8cf512d2ed88d43274be03bda5d
Reviewed-on: https://pdfium-review.googlesource.com/c/45871
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
diff --git a/fxbarcode/pdf417/BC_PDF417HighLevelEncoder.cpp b/fxbarcode/pdf417/BC_PDF417HighLevelEncoder.cpp
index 1fdb0bc..0517979 100644
--- a/fxbarcode/pdf417/BC_PDF417HighLevelEncoder.cpp
+++ b/fxbarcode/pdf417/BC_PDF417HighLevelEncoder.cpp
@@ -53,11 +53,13 @@
}
bool IsMixed(wchar_t ch) {
- return g_mixed[ch] != -1;
+ // Bounds check avoiding sign mismatch error given questionable signedness.
+ return !((ch & ~0x7F) || g_mixed[ch] == -1);
}
bool IsPunctuation(wchar_t ch) {
- return g_punctuation[ch] != -1;
+ // Bounds check avoiding sign mismatch error given questionable signedness.
+ return !((ch & ~0x7F) || g_punctuation[ch] == -1);
}
bool IsText(wchar_t ch) {
@@ -164,7 +166,7 @@
tmp.Reserve(count);
SubMode submode = initialSubmode;
size_t idx = 0;
- while (true) {
+ while (idx < count) {
wchar_t ch = msg[startpos + idx];
switch (submode) {
case SubMode::kAlpha:
@@ -185,8 +187,10 @@
tmp += 28;
continue;
}
- tmp += 29;
- tmp += g_punctuation[ch];
+ if (IsPunctuation(ch)) {
+ tmp += 29;
+ tmp += g_punctuation[ch];
+ }
break;
case SubMode::kLower:
if (IsAlphaLowerOrSpace(ch)) {
@@ -206,9 +210,10 @@
tmp += 28;
continue;
}
-
- tmp += 29;
- tmp += g_punctuation[ch];
+ if (IsPunctuation(ch)) {
+ tmp += 29;
+ tmp += g_punctuation[ch];
+ }
break;
case SubMode::kMixed:
if (IsMixed(ch)) {
@@ -233,8 +238,10 @@
continue;
}
}
- tmp += 29;
- tmp += g_punctuation[ch];
+ if (IsPunctuation(ch)) {
+ tmp += 29;
+ tmp += g_punctuation[ch];
+ }
break;
default:
if (IsPunctuation(ch)) {
@@ -245,9 +252,7 @@
tmp += 29;
continue;
}
- idx++;
- if (idx >= count)
- break;
+ ++idx;
}
wchar_t h = 0;
size_t len = tmp.GetLength();
