Mark more two-arg fxcrt functions as UNSAFE_BUFFER_USAGE.
Force callers of these functions to declare UNSAFE_BUFFERS.
Change-Id: I35595cf0009127b9e915a40734680ae421db7672
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/120174
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Thomas Sepez <tsepez@google.com>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
diff --git a/core/fxcodec/gif/cfx_gifcontext.cpp b/core/fxcodec/gif/cfx_gifcontext.cpp
index 71c9e66..e8b1a3e 100644
--- a/core/fxcodec/gif/cfx_gifcontext.cpp
+++ b/core/fxcodec/gif/cfx_gifcontext.cpp
@@ -16,6 +16,7 @@
#include "core/fxcodec/cfx_codec_memory.h"
#include "core/fxcrt/byteorder.h"
+#include "core/fxcrt/compiler_specific.h"
#include "core/fxcrt/data_vector.h"
#include "core/fxcrt/stl_util.h"
@@ -245,8 +246,8 @@
img_row_avail_size_ = gif_img_row_bytes - img_row_offset_;
auto img_row_span = pdfium::make_span(gif_image->row_buffer)
.subspan(img_row_offset_, img_row_avail_size_);
- LZWDecompressor::Status ret =
- lzw_decompressor_->Decode(img_row_span.data(), &img_row_avail_size_);
+ LZWDecompressor::Status ret = UNSAFE_TODO(
+ lzw_decompressor_->Decode(img_row_span.data(), &img_row_avail_size_));
if (ret == LZWDecompressor::Status::kError) {
DecodingFailureAtTailCleanup(gif_image);
return GifDecoder::Status::kError;
@@ -278,8 +279,8 @@
img_row_avail_size_ = gif_img_row_bytes - img_row_offset_;
img_row_span = pdfium::make_span(gif_image->row_buffer)
.subspan(img_row_offset_, img_row_avail_size_);
- ret = lzw_decompressor_->Decode(img_row_span.data(),
- &img_row_avail_size_);
+ ret = UNSAFE_TODO(lzw_decompressor_->Decode(img_row_span.data(),
+ &img_row_avail_size_));
}
}
@@ -304,8 +305,8 @@
img_row_avail_size_ = gif_img_row_bytes;
img_row_span = pdfium::make_span(gif_image->row_buffer)
.subspan(img_row_offset_, img_row_avail_size_);
- ret = lzw_decompressor_->Decode(img_row_span.data(),
- &img_row_avail_size_);
+ ret = UNSAFE_TODO(lzw_decompressor_->Decode(img_row_span.data(),
+ &img_row_avail_size_));
}
if (ret == LZWDecompressor::Status::kError) {
diff --git a/core/fxcodec/gif/lzw_decompressor.h b/core/fxcodec/gif/lzw_decompressor.h
index 131d327..c5a0560 100644
--- a/core/fxcodec/gif/lzw_decompressor.h
+++ b/core/fxcodec/gif/lzw_decompressor.h
@@ -14,6 +14,7 @@
#include <memory>
#include "core/fxcodec/gif/cfx_gif.h"
+#include "core/fxcrt/compiler_specific.h"
#include "core/fxcrt/data_vector.h"
#include "core/fxcrt/span.h"
@@ -39,7 +40,7 @@
~LZWDecompressor();
void SetSource(pdfium::span<const uint8_t> src_buf);
- Status Decode(uint8_t* dest_buf, uint32_t* dest_size);
+ UNSAFE_BUFFER_USAGE Status Decode(uint8_t* dest_buf, uint32_t* dest_size);
// Used by unittests, should not be called in production code.
size_t ExtractDataForTest(pdfium::span<uint8_t> dest_buf) {
diff --git a/core/fxcodec/jpeg/jpegmodule.h b/core/fxcodec/jpeg/jpegmodule.h
index 0d479f5..b24b65b 100644
--- a/core/fxcodec/jpeg/jpegmodule.h
+++ b/core/fxcodec/jpeg/jpegmodule.h
@@ -17,6 +17,7 @@
#include "core/fxcrt/span.h"
#if BUILDFLAG(IS_WIN)
+#include "core/fxcrt/compiler_specific.h"
#include "core/fxcrt/retain_ptr.h"
#endif
@@ -47,9 +48,10 @@
pdfium::span<const uint8_t> src_span);
#if BUILDFLAG(IS_WIN)
- static bool JpegEncode(const RetainPtr<const CFX_DIBBase>& pSource,
- uint8_t** dest_buf,
- size_t* dest_size);
+ UNSAFE_BUFFER_USAGE static bool JpegEncode(
+ const RetainPtr<const CFX_DIBBase>& pSource,
+ uint8_t** dest_buf,
+ size_t* dest_size);
#endif // BUILDFLAG(IS_WIN)
JpegModule() = delete;
diff --git a/core/fxcodec/jpx/jpx_decode_utils.h b/core/fxcodec/jpx/jpx_decode_utils.h
index fc3d78a..d27b8c3 100644
--- a/core/fxcodec/jpx/jpx_decode_utils.h
+++ b/core/fxcodec/jpx/jpx_decode_utils.h
@@ -9,6 +9,8 @@
#include <stdint.h>
+#include "core/fxcrt/compiler_specific.h"
+
#if defined(USE_SYSTEM_LIBOPENJPEG2)
#include <openjpeg.h>
#else
@@ -18,7 +20,7 @@
namespace fxcodec {
struct DecodeData {
- DecodeData(const uint8_t* data, OPJ_SIZE_T size)
+ UNSAFE_BUFFER_USAGE DecodeData(const uint8_t* data, OPJ_SIZE_T size)
: src_data(data), src_size(size), offset(0) {}
const uint8_t* src_data;
diff --git a/core/fxcrt/css/cfx_cssdeclaration.cpp b/core/fxcrt/css/cfx_cssdeclaration.cpp
index 3e4f67a..a92676c 100644
--- a/core/fxcrt/css/cfx_cssdeclaration.cpp
+++ b/core/fxcrt/css/cfx_cssdeclaration.cpp
@@ -13,6 +13,7 @@
#include "core/fxcrt/check.h"
#include "core/fxcrt/check_op.h"
+#include "core/fxcrt/compiler_specific.h"
#include "core/fxcrt/css/cfx_csscolorvalue.h"
#include "core/fxcrt/css/cfx_csscustomproperty.h"
#include "core/fxcrt/css/cfx_cssenumvalue.h"
@@ -35,8 +36,8 @@
DCHECK(!view.IsEmpty());
size_t nUsedLen = 0;
- float value =
- FXSYS_wcstof(view.unterminated_c_str(), view.GetLength(), &nUsedLen);
+ float value = UNSAFE_TODO(
+ FXSYS_wcstof(view.unterminated_c_str(), view.GetLength(), &nUsedLen));
if (nUsedLen == 0 || !isfinite(value)) {
return std::nullopt;
}
diff --git a/core/fxcrt/fixed_size_data_vector.h b/core/fxcrt/fixed_size_data_vector.h
index 07988cd..621d41e 100644
--- a/core/fxcrt/fixed_size_data_vector.h
+++ b/core/fxcrt/fixed_size_data_vector.h
@@ -106,7 +106,8 @@
pdfium::span<const T> last(size_t count) const { return span().last(count); }
private:
- FixedSizeDataVector(T* ptr, size_t size) : data_(ptr), size_(size) {}
+ UNSAFE_BUFFER_USAGE FixedSizeDataVector(T* ptr, size_t size)
+ : data_(ptr), size_(size) {}
std::unique_ptr<T, FxFreeDeleter> data_;
size_t size_ = 0;
diff --git a/core/fxcrt/fx_extension.h b/core/fxcrt/fx_extension.h
index 4b55094..dbd07cc 100644
--- a/core/fxcrt/fx_extension.h
+++ b/core/fxcrt/fx_extension.h
@@ -13,6 +13,7 @@
#include <wctype.h>
#include "build/build_config.h"
+#include "core/fxcrt/compiler_specific.h"
#if defined(USE_SYSTEM_ICUUC)
#include <unicode/uchar.h>
@@ -24,8 +25,12 @@
#define FX_IsOdd(a) ((a)&1)
-float FXSYS_wcstof(const wchar_t* pwsStr, size_t nLength, size_t* pUsedLen);
-wchar_t* FXSYS_wcsncpy(wchar_t* dstStr, const wchar_t* srcStr, size_t count);
+UNSAFE_BUFFER_USAGE float FXSYS_wcstof(const wchar_t* pwsStr,
+ size_t nLength,
+ size_t* pUsedLen);
+UNSAFE_BUFFER_USAGE wchar_t* FXSYS_wcsncpy(wchar_t* dstStr,
+ const wchar_t* srcStr,
+ size_t count);
inline bool FXSYS_iswlower(int32_t c) {
return u_islower(c);
diff --git a/core/fxcrt/fx_extension_unittest.cpp b/core/fxcrt/fx_extension_unittest.cpp
index 9cbfa75..d187885 100644
--- a/core/fxcrt/fx_extension_unittest.cpp
+++ b/core/fxcrt/fx_extension_unittest.cpp
@@ -132,92 +132,98 @@
TEST(fxcrt, FXSYS_wcstof) {
size_t used_len = 0;
- EXPECT_FLOAT_EQ(-12.0f, FXSYS_wcstof(L"-12", 3, &used_len));
+ EXPECT_FLOAT_EQ(-12.0f, UNSAFE_TODO(FXSYS_wcstof(L"-12", 3, &used_len)));
EXPECT_EQ(3u, used_len);
used_len = 0;
- EXPECT_FLOAT_EQ(12.0f, FXSYS_wcstof(L"+12", 3, &used_len));
+ EXPECT_FLOAT_EQ(12.0f, UNSAFE_TODO(FXSYS_wcstof(L"+12", 3, &used_len)));
EXPECT_EQ(3u, used_len);
used_len = 0;
- EXPECT_FLOAT_EQ(123.0f, FXSYS_wcstof(L" 123", 4, &used_len));
+ EXPECT_FLOAT_EQ(123.0f, UNSAFE_TODO(FXSYS_wcstof(L" 123", 4, &used_len)));
EXPECT_EQ(4u, used_len);
used_len = 0;
- EXPECT_FLOAT_EQ(123.0f, FXSYS_wcstof(L" 123 ", 5, &used_len));
+ EXPECT_FLOAT_EQ(123.0f, UNSAFE_TODO(FXSYS_wcstof(L" 123 ", 5, &used_len)));
EXPECT_EQ(4u, used_len);
used_len = 0;
- EXPECT_FLOAT_EQ(1.0f, FXSYS_wcstof(L" 1 2 3 ", 7, &used_len));
+ EXPECT_FLOAT_EQ(1.0f, UNSAFE_TODO(FXSYS_wcstof(L" 1 2 3 ", 7, &used_len)));
EXPECT_EQ(2u, used_len);
used_len = 0;
- EXPECT_FLOAT_EQ(1.5362f, FXSYS_wcstof(L"1.5362", 6, &used_len));
+ EXPECT_FLOAT_EQ(1.5362f, UNSAFE_TODO(FXSYS_wcstof(L"1.5362", 6, &used_len)));
EXPECT_EQ(6u, used_len);
used_len = 0;
- EXPECT_FLOAT_EQ(1.0f, FXSYS_wcstof(L"1 .5362", 7, &used_len));
+ EXPECT_FLOAT_EQ(1.0f, UNSAFE_TODO(FXSYS_wcstof(L"1 .5362", 7, &used_len)));
EXPECT_EQ(1u, used_len);
used_len = 0;
- EXPECT_FLOAT_EQ(1.0f, FXSYS_wcstof(L"1. 5362", 7, &used_len));
+ EXPECT_FLOAT_EQ(1.0f, UNSAFE_TODO(FXSYS_wcstof(L"1. 5362", 7, &used_len)));
EXPECT_EQ(2u, used_len);
used_len = 0;
- EXPECT_FLOAT_EQ(1.5f, FXSYS_wcstof(L"1.5.3.6.2", 9, &used_len));
+ EXPECT_FLOAT_EQ(1.5f, UNSAFE_TODO(FXSYS_wcstof(L"1.5.3.6.2", 9, &used_len)));
EXPECT_EQ(3u, used_len);
used_len = 0;
- EXPECT_FLOAT_EQ(0.875f, FXSYS_wcstof(L"0.875", 5, &used_len));
+ EXPECT_FLOAT_EQ(0.875f, UNSAFE_TODO(FXSYS_wcstof(L"0.875", 5, &used_len)));
EXPECT_EQ(5u, used_len);
used_len = 0;
- EXPECT_FLOAT_EQ(5.56e-2f, FXSYS_wcstof(L"5.56e-2", 7, &used_len));
+ EXPECT_FLOAT_EQ(5.56e-2f,
+ UNSAFE_TODO(FXSYS_wcstof(L"5.56e-2", 7, &used_len)));
EXPECT_EQ(7u, used_len);
used_len = 0;
- EXPECT_FLOAT_EQ(1.234e10f, FXSYS_wcstof(L"1.234E10", 8, &used_len));
+ EXPECT_FLOAT_EQ(1.234e10f,
+ UNSAFE_TODO(FXSYS_wcstof(L"1.234E10", 8, &used_len)));
EXPECT_EQ(8u, used_len);
used_len = 0;
- EXPECT_TRUE(isinf(FXSYS_wcstof(L"1.234E100000000000000", 21, &used_len)));
+ EXPECT_TRUE(isinf(
+ UNSAFE_TODO(FXSYS_wcstof(L"1.234E100000000000000", 21, &used_len))));
EXPECT_EQ(21u, used_len);
used_len = 0;
- EXPECT_FLOAT_EQ(0.0f, FXSYS_wcstof(L"1.234E-128", 10, &used_len));
+ EXPECT_FLOAT_EQ(0.0f,
+ UNSAFE_TODO(FXSYS_wcstof(L"1.234E-128", 10, &used_len)));
EXPECT_EQ(10u, used_len);
// TODO(dsinclair): This should round as per IEEE 64-bit values.
// EXPECT_EQ(L"123456789.01234567", FXSYS_wcstof(L"123456789.012345678"));
used_len = 0;
- EXPECT_FLOAT_EQ(123456789.012345678f,
- FXSYS_wcstof(L"123456789.012345678", 19, &used_len));
+ EXPECT_FLOAT_EQ(
+ 123456789.012345678f,
+ UNSAFE_TODO(FXSYS_wcstof(L"123456789.012345678", 19, &used_len)));
EXPECT_EQ(19u, used_len);
// TODO(dsinclair): This is spec'd as rounding when > 16 significant digits
// prior to the exponent.
// EXPECT_EQ(100000000000000000, FXSYS_wcstof(L"99999999999999999"));
used_len = 0;
- EXPECT_FLOAT_EQ(99999999999999999.0f,
- FXSYS_wcstof(L"99999999999999999", 17, &used_len));
+ EXPECT_FLOAT_EQ(
+ 99999999999999999.0f,
+ UNSAFE_TODO(FXSYS_wcstof(L"99999999999999999", 17, &used_len)));
EXPECT_EQ(17u, used_len);
// For https://crbug.com/pdfium/1217
- EXPECT_FLOAT_EQ(0.0f, FXSYS_wcstof(L"e76", 3, nullptr));
+ EXPECT_FLOAT_EQ(0.0f, UNSAFE_TODO(FXSYS_wcstof(L"e76", 3, nullptr)));
// Overflow to infinity.
used_len = 0;
- EXPECT_TRUE(isinf(FXSYS_wcstof(
+ EXPECT_TRUE(isinf(UNSAFE_TODO(FXSYS_wcstof(
L"88888888888888888888888888888888888888888888888888888888888888888888888"
L"88888888888888888888888888888888888888888888888888888888888",
- 130, &used_len)));
+ 130, &used_len))));
EXPECT_EQ(130u, used_len);
used_len = 0;
- EXPECT_TRUE(isinf(FXSYS_wcstof(
+ EXPECT_TRUE(isinf(UNSAFE_TODO(FXSYS_wcstof(
L"-8888888888888888888888888888888888888888888888888888888888888888888888"
L"888888888888888888888888888888888888888888888888888888888888",
- 131, &used_len)));
+ 131, &used_len))));
EXPECT_EQ(131u, used_len);
}
diff --git a/core/fxcrt/fx_system.h b/core/fxcrt/fx_system.h
index b7bf8b6..e7c9f4d 100644
--- a/core/fxcrt/fx_system.h
+++ b/core/fxcrt/fx_system.h
@@ -14,6 +14,7 @@
#include <wchar.h>
#include "build/build_config.h"
+#include "core/fxcrt/compiler_specific.h"
#include "core/fxcrt/fx_types.h"
#if defined(_MSC_VER) && _MSC_VER < 1900
@@ -58,10 +59,10 @@
#define FXSYS_wcsupr _wcsupr
#define FXSYS_SetLastError SetLastError
#define FXSYS_GetLastError GetLastError
-size_t FXSYS_wcsftime(wchar_t* strDest,
- size_t maxsize,
- const wchar_t* format,
- const struct tm* timeptr);
+UNSAFE_BUFFER_USAGE size_t FXSYS_wcsftime(wchar_t* strDest,
+ size_t maxsize,
+ const wchar_t* format,
+ const struct tm* timeptr);
#else // BUILDFLAG(IS_WIN)
char* FXSYS_itoa(int value, char* str, int radix);
char* FXSYS_strlwr(char* str);
diff --git a/core/fxcrt/fx_system_unittest.cpp b/core/fxcrt/fx_system_unittest.cpp
index 359b271..4ca78ac 100644
--- a/core/fxcrt/fx_system_unittest.cpp
+++ b/core/fxcrt/fx_system_unittest.cpp
@@ -288,8 +288,8 @@
good_time.tm_sec = 59;
wchar_t buf[100] = {};
- EXPECT_EQ(19u, FXSYS_wcsftime(buf, std::size(buf), L"%Y-%m-%dT%H:%M:%S",
- &good_time));
+ EXPECT_EQ(19u, UNSAFE_TODO(FXSYS_wcsftime(buf, std::size(buf),
+ L"%Y-%m-%dT%H:%M:%S", &good_time)));
EXPECT_STREQ(L"1974-08-09T11:59:59", buf);
// Ensure wcsftime handles a wide range of years without crashing.
@@ -303,8 +303,8 @@
for (int year = -2500; year <= 8500; ++year) {
year_time.tm_year = year;
wchar_t year_buf[100] = {};
- FXSYS_wcsftime(year_buf, std::size(year_buf), L"%Y-%m-%dT%H:%M:%S",
- &year_time);
+ UNSAFE_TODO(FXSYS_wcsftime(year_buf, std::size(year_buf),
+ L"%Y-%m-%dT%H:%M:%S", &year_time));
}
// Ensure wcsftime handles bad years, etc. without crashing.
@@ -316,7 +316,8 @@
bad_time.tm_min = -1;
bad_time.tm_sec = -1;
- FXSYS_wcsftime(buf, std::size(buf), L"%y-%m-%dT%H:%M:%S", &bad_time);
+ UNSAFE_TODO(
+ FXSYS_wcsftime(buf, std::size(buf), L"%y-%m-%dT%H:%M:%S", &bad_time));
// Ensure wcsftime handles bad-ish day without crashing (Feb 30).
struct tm feb_time = {};
@@ -327,7 +328,8 @@
feb_time.tm_min = 00;
feb_time.tm_sec = 00;
- FXSYS_wcsftime(buf, std::size(buf), L"%y-%m-%dT%H:%M:%S", &feb_time);
+ UNSAFE_TODO(
+ FXSYS_wcsftime(buf, std::size(buf), L"%y-%m-%dT%H:%M:%S", &feb_time));
}
TEST(fxcrt, FXSYS_atoi) {
diff --git a/fxjs/cjs_util.cpp b/fxjs/cjs_util.cpp
index 9362252..e3c22c2 100644
--- a/fxjs/cjs_util.cpp
+++ b/fxjs/cjs_util.cpp
@@ -15,6 +15,7 @@
#include "build/build_config.h"
#include "core/fxcrt/check_op.h"
+#include "core/fxcrt/compiler_specific.h"
#include "core/fxcrt/fx_extension.h"
#include "core/fxcrt/span.h"
#include "fxjs/cjs_event_context.h"
@@ -263,7 +264,7 @@
time.tm_sec = sec;
wchar_t buf[64] = {};
- FXSYS_wcsftime(buf, 64, cFormat.c_str(), &time);
+ UNSAFE_TODO(FXSYS_wcsftime(buf, 64, cFormat.c_str(), &time));
cFormat = buf;
return CJS_Result::Success(pRuntime->NewString(cFormat.c_str()));
}
diff --git a/fxjs/xfa/cjx_object.cpp b/fxjs/xfa/cjx_object.cpp
index 179a313..a6f69bb 100644
--- a/fxjs/xfa/cjx_object.cpp
+++ b/fxjs/xfa/cjx_object.cpp
@@ -234,8 +234,8 @@
break;
case XFA_AttributeType::Integer:
SetInteger(eAttr,
- FXSYS_roundf(FXSYS_wcstof(wsValue.c_str(), wsValue.GetLength(),
- nullptr)),
+ FXSYS_roundf(UNSAFE_TODO(FXSYS_wcstof(
+ wsValue.c_str(), wsValue.GetLength(), nullptr))),
bNotify);
break;
case XFA_AttributeType::Measure:
diff --git a/xfa/fgas/font/cfgas_fontmgr.cpp b/xfa/fgas/font/cfgas_fontmgr.cpp
index 47fdec9..ae8efa5 100644
--- a/xfa/fgas/font/cfgas_fontmgr.cpp
+++ b/xfa/fgas/font/cfgas_fontmgr.cpp
@@ -187,8 +187,8 @@
static_assert(std::is_aggregate_v<decltype(font)>);
font.uCharSet = FX_GetCharsetFromInt(lf.lfCharSet);
font.dwFontStyles = GetGdiFontStyles(lf);
- FXSYS_wcsncpy(font.wsFontFace, (const wchar_t*)lf.lfFaceName, 31);
UNSAFE_TODO({
+ FXSYS_wcsncpy(font.wsFontFace, (const wchar_t*)lf.lfFaceName, 31);
font.wsFontFace[31] = 0;
FXSYS_memcpy(&font.FontSignature, &lpntme->ntmFontSig,
sizeof(lpntme->ntmFontSig));
diff --git a/xfa/fxfa/formcalc/cxfa_fmlexer.cpp b/xfa/fxfa/formcalc/cxfa_fmlexer.cpp
index 8e0b95c..611e51b 100644
--- a/xfa/fxfa/formcalc/cxfa_fmlexer.cpp
+++ b/xfa/fxfa/formcalc/cxfa_fmlexer.cpp
@@ -8,6 +8,7 @@
#include <algorithm>
+#include "core/fxcrt/compiler_specific.h"
#include "core/fxcrt/fx_extension.h"
#include "core/fxcrt/stl_util.h"
@@ -313,8 +314,8 @@
// This will set end to the character after the end of the number.
size_t used_length = 0;
if (m_nCursor < m_spInput.size()) {
- FXSYS_wcstof(&m_spInput[m_nCursor], m_spInput.size() - m_nCursor,
- &used_length);
+ UNSAFE_TODO(FXSYS_wcstof(&m_spInput[m_nCursor],
+ m_spInput.size() - m_nCursor, &used_length));
}
size_t end = m_nCursor + used_length;
if (used_length == 0 ||
diff --git a/xfa/fxfa/parser/cxfa_measurement.cpp b/xfa/fxfa/parser/cxfa_measurement.cpp
index f47be57..dfa9cc0 100644
--- a/xfa/fxfa/parser/cxfa_measurement.cpp
+++ b/xfa/fxfa/parser/cxfa_measurement.cpp
@@ -8,6 +8,7 @@
#include <math.h>
+#include "core/fxcrt/compiler_specific.h"
#include "core/fxcrt/fx_extension.h"
#include "core/fxcrt/notreached.h"
@@ -43,8 +44,8 @@
}
size_t nUsedLen = 0;
- float fValue = FXSYS_wcstof(wsMeasure.unterminated_c_str(),
- wsMeasure.GetLength(), &nUsedLen);
+ float fValue = UNSAFE_TODO(FXSYS_wcstof(wsMeasure.unterminated_c_str(),
+ wsMeasure.GetLength(), &nUsedLen));
if (!isfinite(fValue))
fValue = 0.0f;
