Check for overflow in CMap_GetCode.
Given a large enough value for the character code it's possible to overflow
the conversion to an int. This Cl updates the code to guard against overflow.
BUG=chromium:648739
Review-Url: https://codereview.chromium.org/2358023002
diff --git a/core/fpdfapi/fpdf_font/fpdf_font_cid.cpp b/core/fpdfapi/fpdf_font/fpdf_font_cid.cpp
index 3f95ec4..96c1ef5 100644
--- a/core/fpdfapi/fpdf_font/fpdf_font_cid.cpp
+++ b/core/fpdfapi/fpdf_font/fpdf_font_cid.cpp
@@ -441,16 +441,22 @@
// Static.
uint32_t CPDF_CMapParser::CMap_GetCode(const CFX_ByteStringC& word) {
- int num = 0;
+ pdfium::base::CheckedNumeric<uint32_t> num = 0;
if (word.GetAt(0) == '<') {
- for (int i = 1; i < word.GetLength() && std::isxdigit(word.GetAt(i)); ++i)
+ for (int i = 1; i < word.GetLength() && std::isxdigit(word.GetAt(i)); ++i) {
num = num * 16 + FXSYS_toHexDigit(word.GetAt(i));
- return num;
+ if (!num.IsValid())
+ return 0;
+ }
+ return num.ValueOrDie();
}
- for (int i = 0; i < word.GetLength() && std::isdigit(word.GetAt(i)); ++i)
+ for (int i = 0; i < word.GetLength() && std::isdigit(word.GetAt(i)); ++i) {
num = num * 10 + FXSYS_toDecimalDigit(static_cast<FX_WCHAR>(word.GetAt(i)));
- return num;
+ if (!num.IsValid())
+ return 0;
+ }
+ return num.ValueOrDie();
}
// Static.
diff --git a/core/fpdfapi/fpdf_font/fpdf_font_cid_unittest.cpp b/core/fpdfapi/fpdf_font/fpdf_font_cid_unittest.cpp
index ccf49ee..ec05df5 100644
--- a/core/fpdfapi/fpdf_font/fpdf_font_cid_unittest.cpp
+++ b/core/fpdfapi/fpdf_font/fpdf_font_cid_unittest.cpp
@@ -28,6 +28,11 @@
EXPECT_EQ(12u, CPDF_CMapParser::CMap_GetCode("12"));
EXPECT_EQ(12u, CPDF_CMapParser::CMap_GetCode("12d"));
EXPECT_EQ(128u, CPDF_CMapParser::CMap_GetCode("128"));
+
+ EXPECT_EQ(4294967295u, CPDF_CMapParser::CMap_GetCode("<FFFFFFFF"));
+
+ // Overflow a uint32_t.
+ EXPECT_EQ(0u, CPDF_CMapParser::CMap_GetCode("<100000000"));
}
TEST(fpdf_font_cid, CMap_GetCodeRange) {