Fix integer overflow in Buffer_itoa when passing INT_MIN.
Bug: chromium:760034
Change-Id: Id0862749b1454e065de4de7d746a27e78ac58e30
Reviewed-on: https://pdfium-review.googlesource.com/12730
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
diff --git a/core/fpdfapi/parser/cpdf_number.cpp b/core/fpdfapi/parser/cpdf_number.cpp
index 50c48d6..9afe30a 100644
--- a/core/fpdfapi/parser/cpdf_number.cpp
+++ b/core/fpdfapi/parser/cpdf_number.cpp
@@ -53,7 +53,7 @@
}
CFX_ByteString CPDF_Number::GetString() const {
- return m_bInteger ? CFX_ByteString::FormatInteger(m_Integer, FXFORMAT_SIGNED)
+ return m_bInteger ? CFX_ByteString::FormatInteger(m_Integer)
: CFX_ByteString::FormatFloat(m_Float);
}
diff --git a/core/fxcrt/cfx_bytestring.cpp b/core/fxcrt/cfx_bytestring.cpp
index a8b65b5..ab7c9ae 100644
--- a/core/fxcrt/cfx_bytestring.cpp
+++ b/core/fxcrt/cfx_bytestring.cpp
@@ -27,33 +27,6 @@
namespace {
-int Buffer_itoa(char* buf, int i, uint32_t flags) {
- if (i == 0) {
- buf[0] = '0';
- return 1;
- }
- char buf1[32];
- int buf_pos = 31;
- uint32_t u = i;
- if ((flags & FXFORMAT_SIGNED) && i < 0) {
- u = -i;
- }
- int base = 10;
- const char* str = "0123456789abcdef";
- while (u != 0) {
- buf1[buf_pos--] = str[u % base];
- u = u / base;
- }
- if ((flags & FXFORMAT_SIGNED) && i < 0) {
- buf1[buf_pos--] = '-';
- }
- int len = 31 - buf_pos;
- for (int ii = 0; ii < len; ii++) {
- buf[ii] = buf1[ii + buf_pos + 1];
- }
- return len;
-}
-
const char* FX_strstr(const char* haystack,
int haystack_len,
const char* needle,
@@ -499,9 +472,10 @@
#define FORCE_UNICODE 0x20000
#define FORCE_INT64 0x40000
-CFX_ByteString CFX_ByteString::FormatInteger(int i, uint32_t flags) {
+CFX_ByteString CFX_ByteString::FormatInteger(int i) {
char buf[32];
- return CFX_ByteString(buf, Buffer_itoa(buf, i, flags));
+ FXSYS_snprintf(buf, 32, "%d", i);
+ return CFX_ByteString(buf);
}
void CFX_ByteString::FormatV(const char* pFormat, va_list argList) {
diff --git a/core/fxcrt/cfx_bytestring.h b/core/fxcrt/cfx_bytestring.h
index ff43dab..a47b5f8 100644
--- a/core/fxcrt/cfx_bytestring.h
+++ b/core/fxcrt/cfx_bytestring.h
@@ -171,9 +171,7 @@
uint32_t GetID() const { return AsStringC().GetID(); }
-#define FXFORMAT_SIGNED 1
-
- static CFX_ByteString FormatInteger(int i, uint32_t flags = 0);
+ static CFX_ByteString FormatInteger(int i);
static CFX_ByteString FormatFloat(float f, int precision = 0);
protected:
diff --git a/core/fxcrt/cfx_bytestring_unittest.cpp b/core/fxcrt/cfx_bytestring_unittest.cpp
index 497e0b6..a590af3 100644
--- a/core/fxcrt/cfx_bytestring_unittest.cpp
+++ b/core/fxcrt/cfx_bytestring_unittest.cpp
@@ -1511,3 +1511,18 @@
EXPECT_EQ("abcdef", stream.str());
}
}
+
+TEST(fxcrt, ByteStringFormatInteger) {
+ // Base case of 0.
+ EXPECT_EQ("0", CFX_ByteString::FormatInteger(0));
+
+ // Positive ordinary number.
+ EXPECT_EQ("123456", CFX_ByteString::FormatInteger(123456));
+
+ // Negative ordinary number.
+ EXPECT_EQ("-123456", CFX_ByteString::FormatInteger(-123456));
+
+ // int limits.
+ EXPECT_EQ("2147483647", CFX_ByteString::FormatInteger(INT_MAX));
+ EXPECT_EQ("-2147483648", CFX_ByteString::FormatInteger(INT_MIN));
+}
diff --git a/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp b/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp
index 73e6c22..b68be12 100644
--- a/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp
+++ b/xfa/fxfa/fm2js/cxfa_fm2jscontext.cpp
@@ -5790,7 +5790,7 @@
if (iIndexFlags == 1 || iIndexValue == 0) {
return CFX_ByteString(szName, "[") +
- CFX_ByteString::FormatInteger(iIndexValue, FXFORMAT_SIGNED) + "]";
+ CFX_ByteString::FormatInteger(iIndexValue) + "]";
}
CFX_ByteString szSomExp;
if (iIndexFlags == 2) {