Fix buffer size boundary check offset by 1
When newPos == file size, the current block will not be read or Get. If this block is a crucial part of the document (like m_pTrailer), the program will exit with parse error and
the document will not be rendered.
BUG=None
R=jun_fang@foxitsoftware.com
Review URL: https://codereview.chromium.org/440563003
diff --git a/fpdfsdk/src/fpdfview.cpp b/fpdfsdk/src/fpdfview.cpp
index 63d4fbd..af24e71 100644
--- a/fpdfsdk/src/fpdfview.cpp
+++ b/fpdfsdk/src/fpdfview.cpp
@@ -35,27 +35,25 @@
FX_BOOL CPDF_CustomAccess::GetBlock(FX_DWORD pos, FX_LPBYTE pBuf, FX_DWORD size)
{
- FX_SAFE_DWORD newPos = size;
- newPos += pos;
- if (!newPos.IsValid() || newPos.ValueOrDie() >= m_FileAccess.m_FileLen) {
- return FALSE;
- }
-
- return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, pos, pBuf, size);
+ FX_SAFE_DWORD newPos = size;
+ newPos += pos;
+ if (!newPos.IsValid() || newPos.ValueOrDie() > m_FileAccess.m_FileLen) {
+ return FALSE;
+ }
+ return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, pos, pBuf, size);
}
FX_BOOL CPDF_CustomAccess::ReadBlock(void* buffer, FX_FILESIZE offset, size_t size)
{
- if (offset < 0) {
- return FALSE;
- }
- FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t>(size);
- newPos += offset;
- if (!newPos.IsValid() || newPos.ValueOrDie() >= m_FileAccess.m_FileLen) {
- return FALSE;
- }
-
- return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, offset,(FX_LPBYTE) buffer, size);
+ if (offset < 0) {
+ return FALSE;
+ }
+ FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t>(size);
+ newPos += offset;
+ if (!newPos.IsValid() || newPos.ValueOrDie() > m_FileAccess.m_FileLen) {
+ return FALSE;
+ }
+ return m_FileAccess.m_GetBlock(m_FileAccess.m_Param, offset,(FX_LPBYTE) buffer, size);
}
//0 bit: FPDF_POLICY_MACHINETIME_ACCESS
@@ -301,15 +299,13 @@
virtual FX_FILESIZE GetSize() {return m_size;}
virtual FX_BOOL ReadBlock(void* buffer, FX_FILESIZE offset, size_t size)
{
- if (offset < 0) {
- return FALSE;
- }
-
- FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t>(size);
- newPos += offset;
- if (!newPos.IsValid() || newPos.ValueOrDie() >= (FX_DWORD)m_size) return FALSE;
+ if (offset < 0) {
+ return FALSE;
+ }
+ FX_SAFE_FILESIZE newPos = base::checked_cast<FX_FILESIZE, size_t>(size);
+ newPos += offset;
+ if (!newPos.IsValid() || newPos.ValueOrDie() > (FX_DWORD)m_size) return FALSE;
FXSYS_memcpy(buffer, m_pBuf+offset, size);
-
return TRUE;
}
private: