commit c0f60dc29db66262bbc0082fcd51170a570b0d1f
author dsinclair <dsinclair@chromium.org> Wed Sep 21 12:49:36 2016 -0700
committer Commit bot <commit-bot@chromium.org> Wed Sep 21 12:49:36 2016 -0700
tree 48b53ab54770ab7dc1766d1f94e2b1cfdc386d43
parent 81d92f8ffc5e632ade8c507b8f2e34c5fe3ca902

Check for overflow in CMap_GetCode.

Given a large enough value for the character code it's possible to overflow
the conversion to an int. This Cl updates the code to guard against overflow.

BUG=chromium:648739

Review-Url: https://codereview.chromium.org/2358023002

core/fpdfapi/fpdf_font/fpdf_font_cid.cpp

diff --git a/core/fpdfapi/fpdf_font/fpdf_font_cid.cpp b/core/fpdfapi/fpdf_font/fpdf_font_cid.cpp
index 3f95ec4..96c1ef5 100644
--- a/core/fpdfapi/fpdf_font/fpdf_font_cid.cpp
+++ b/core/fpdfapi/fpdf_font/fpdf_font_cid.cpp
@@ -441,16 +441,22 @@
 
 // Static.
 uint32_t CPDF_CMapParser::CMap_GetCode(const CFX_ByteStringC& word) {
-  int num = 0;
+  pdfium::base::CheckedNumeric<uint32_t> num = 0;
   if (word.GetAt(0) == '<') {
-    for (int i = 1; i < word.GetLength() && std::isxdigit(word.GetAt(i)); ++i)
+    for (int i = 1; i < word.GetLength() && std::isxdigit(word.GetAt(i)); ++i) {
       num = num * 16 + FXSYS_toHexDigit(word.GetAt(i));
-    return num;
+      if (!num.IsValid())
+        return 0;
+    }
+    return num.ValueOrDie();
   }
 
-  for (int i = 0; i < word.GetLength() && std::isdigit(word.GetAt(i)); ++i)
+  for (int i = 0; i < word.GetLength() && std::isdigit(word.GetAt(i)); ++i) {
     num = num * 10 + FXSYS_toDecimalDigit(static_cast<FX_WCHAR>(word.GetAt(i)));
-  return num;
+    if (!num.IsValid())
+      return 0;
+  }
+  return num.ValueOrDie();
 }
 
 // Static.

core/fpdfapi/fpdf_font/fpdf_font_cid_unittest.cpp

diff --git a/core/fpdfapi/fpdf_font/fpdf_font_cid_unittest.cpp b/core/fpdfapi/fpdf_font/fpdf_font_cid_unittest.cpp
index ccf49ee..ec05df5 100644
--- a/core/fpdfapi/fpdf_font/fpdf_font_cid_unittest.cpp
+++ b/core/fpdfapi/fpdf_font/fpdf_font_cid_unittest.cpp
@@ -28,6 +28,11 @@
   EXPECT_EQ(12u, CPDF_CMapParser::CMap_GetCode("12"));
   EXPECT_EQ(12u, CPDF_CMapParser::CMap_GetCode("12d"));
   EXPECT_EQ(128u, CPDF_CMapParser::CMap_GetCode("128"));
+
+  EXPECT_EQ(4294967295u, CPDF_CMapParser::CMap_GetCode("<FFFFFFFF"));
+
+  // Overflow a uint32_t.
+  EXPECT_EQ(0u, CPDF_CMapParser::CMap_GetCode("<100000000"));
 }
 
 TEST(fpdf_font_cid, CMap_GetCodeRange) {