Introduce UNSAFE_TODO() macro.
Improve readability by avoiding distracting boilerplate comments.
-- tidy some other comments while at it.
Bug: pdfium:2154
Change-Id: Idaf43bc85bc17cb2738faa7b3deda1fd66ac67e7
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/119211
Reviewed-by: Thomas Sepez <tsepez@google.com>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
diff --git a/core/fdrm/fx_crypt_aes.cpp b/core/fdrm/fx_crypt_aes.cpp
index 6a15197..3c22170 100644
--- a/core/fdrm/fx_crypt_aes.cpp
+++ b/core/fdrm/fx_crypt_aes.cpp
@@ -597,15 +597,13 @@
FXSYS_memcpy(iv, ctx->iv, sizeof(iv));
while (size != 0) {
for (i = 0; i < 4; i++) {
- // TODO(tsepez): Create actual span.
x[i] = ct[i] = fxcrt::GetUInt32MSBFirst(
- UNSAFE_BUFFERS(pdfium::make_span(src + 4 * i, 4u)));
+ UNSAFE_TODO(pdfium::make_span(src + 4 * i, 4u)));
}
aes_decrypt_nb_4(ctx, x);
for (i = 0; i < 4; i++) {
- // TODO(tsepez): Create actual span.
fxcrt::PutUInt32MSBFirst(
- iv[i] ^ x[i], UNSAFE_BUFFERS(pdfium::make_span(dest + 4 * i, 4u)));
+ iv[i] ^ x[i], UNSAFE_TODO(pdfium::make_span(dest + 4 * i, 4u)));
iv[i] = ct[i];
}
dest += 16;
@@ -625,15 +623,13 @@
FXSYS_memcpy(iv, ctx->iv, sizeof(iv));
while (size != 0) {
for (i = 0; i < 4; i++) {
- // TODO(tsepez): use an actual span.
iv[i] ^= fxcrt::GetUInt32MSBFirst(
- UNSAFE_BUFFERS(pdfium::make_span(src + 4 * i, 4u)));
+ UNSAFE_TODO(pdfium::make_span(src + 4 * i, 4u)));
}
aes_encrypt_nb_4(ctx, iv);
for (i = 0; i < 4; i++) {
- // TODO(tsepez): use an actual span.
fxcrt::PutUInt32MSBFirst(
- iv[i], UNSAFE_BUFFERS(pdfium::make_span(dest + 4 * i, 4u)));
+ iv[i], UNSAFE_TODO(pdfium::make_span(dest + 4 * i, 4u)));
}
dest += 16;
src += 16;
diff --git a/core/fpdfapi/edit/cpdf_contentstream_write_utils.cpp b/core/fpdfapi/edit/cpdf_contentstream_write_utils.cpp
index 4c55b55..805d5bc 100644
--- a/core/fpdfapi/edit/cpdf_contentstream_write_utils.cpp
+++ b/core/fpdfapi/edit/cpdf_contentstream_write_utils.cpp
@@ -111,8 +111,7 @@
// abs(FLT_MIN_10_EXP) = number of zeros in FLT_MIN
static_assert(kMaximumSkFloatToDecimalLength == 3 + 9 - FLT_MIN_10_EXP, "");
- // TODO(tsepez): this whole section is unsafe.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
// section C.1 of the PDF 1.4 spec (http://goo.gl/0SCswJ) says that
// most PDF rasterizers will use fixed-point scalars that lack the
// dynamic range of floats. Even if this is the case, I want to
diff --git a/core/fpdfapi/parser/cpdf_crypto_handler.cpp b/core/fpdfapi/parser/cpdf_crypto_handler.cpp
index 7ce9efa..5ad0bc1 100644
--- a/core/fpdfapi/parser/cpdf_crypto_handler.cpp
+++ b/core/fpdfapi/parser/cpdf_crypto_handler.cpp
@@ -52,8 +52,7 @@
pdfium::span<const uint8_t> source,
uint8_t* dest_buf,
size_t& dest_size) const {
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
if (m_Cipher == Cipher::kNone) {
FXSYS_memcpy(dest_buf, source.data(), source.size());
return;
@@ -124,8 +123,7 @@
PopulateKey(objnum, gennum, key1);
if (m_Cipher == Cipher::kAES) {
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS(FXSYS_memcpy(key1 + m_KeyLen + 5, "sAlT", 4));
+ UNSAFE_TODO(FXSYS_memcpy(key1 + m_KeyLen + 5, "sAlT", 4));
}
uint8_t realkey[16];
@@ -171,9 +169,8 @@
if (copy_size > src_left) {
copy_size = src_left;
}
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS(FXSYS_memcpy(pContext->m_Block + pContext->m_BlockOffset,
- source.data() + src_off, copy_size));
+ UNSAFE_TODO(FXSYS_memcpy(pContext->m_Block + pContext->m_BlockOffset,
+ source.data() + src_off, copy_size));
src_off += copy_size;
src_left -= copy_size;
pContext->m_BlockOffset += copy_size;
@@ -335,8 +332,7 @@
DCHECK(cipher != Cipher::kRC4 || (keylen >= 5 && keylen <= 16));
if (m_Cipher != Cipher::kNone) {
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS(FXSYS_memcpy(m_EncryptKey.data(), key, m_KeyLen));
+ UNSAFE_TODO(FXSYS_memcpy(m_EncryptKey.data(), key, m_KeyLen));
}
if (m_Cipher == Cipher::kAES) {
m_pAESContext.reset(FX_Alloc(CRYPT_aes_context, 1));
@@ -348,8 +344,7 @@
void CPDF_CryptoHandler::PopulateKey(uint32_t objnum,
uint32_t gennum,
uint8_t* key) const {
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
FXSYS_memcpy(key, m_EncryptKey.data(), m_KeyLen);
key[m_KeyLen + 0] = (uint8_t)objnum;
key[m_KeyLen + 1] = (uint8_t)(objnum >> 8);
diff --git a/core/fpdfapi/parser/cpdf_security_handler.cpp b/core/fpdfapi/parser/cpdf_security_handler.cpp
index 9145b00..3571c6e 100644
--- a/core/fpdfapi/parser/cpdf_security_handler.cpp
+++ b/core/fpdfapi/parser/cpdf_security_handler.cpp
@@ -39,8 +39,7 @@
DCHECK_EQ(sizeof(kDefaultPasscode), output.size());
size_t len = std::min(password.GetLength(), output.size());
size_t remaining = output.size() - len;
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
FXSYS_memcpy(output.data(), password.unsigned_str(), len);
if (remaining) {
FXSYS_memcpy(&output[len], kDefaultPasscode, remaining);
@@ -78,8 +77,7 @@
CRYPT_MD5Generate(pdfium::make_span(digest).first(copy_len), digest);
}
}
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
FXSYS_memset(key, 0, keylen);
FXSYS_memcpy(key, digest, copy_len);
});
@@ -128,8 +126,7 @@
DataVector<uint8_t> inter_digest;
uint8_t* input = digest;
uint8_t* key = input;
- // TODO(crbug.com/pdfium/2155): investigate safety.
- uint8_t* iv = UNSAFE_BUFFERS(input + 16);
+ uint8_t* iv = UNSAFE_TODO(input + 16);
int i = 0;
size_t block_size = 32;
CRYPT_aes_context aes = {};
@@ -142,8 +139,7 @@
auto encrypted_output_span = pdfium::make_span(encrypted_output);
DataVector<uint8_t> content;
for (int j = 0; j < 64; ++j) {
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
content.insert(std::end(content), password.unsigned_str(),
password.unsigned_str() + password.GetLength());
content.insert(std::end(content), input, input + block_size);
@@ -184,13 +180,11 @@
encrypted_output_span.size(), input);
}
key = input;
- // TODO(crbug.com/pdfium/2155): investigate safety.
- iv = UNSAFE_BUFFERS(input + 16);
+ iv = UNSAFE_TODO(input + 16);
++i;
} while (i < 64 || i - 32 < encrypted_output.back());
if (hash) {
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS(FXSYS_memcpy(hash, input, 32));
+ UNSAFE_TODO(FXSYS_memcpy(hash, input, 32));
}
}
@@ -350,14 +344,12 @@
CRYPT_sha2_context sha;
uint8_t digest[32];
if (m_Revision >= 6) {
- // TODO(crbug.com/pdfium/2155): investigate safety.
- Revision6_Hash(password, UNSAFE_BUFFERS((const uint8_t*)pkey + 32),
+ Revision6_Hash(password, UNSAFE_TODO((const uint8_t*)pkey + 32),
bOwner ? ukey.unsigned_str() : nullptr, digest);
} else {
CRYPT_SHA256Start(&sha);
CRYPT_SHA256Update(&sha, password.unsigned_str(), password.GetLength());
- // TODO(crbug.com/pdfium/2155): investigate safety.
- CRYPT_SHA256Update(&sha, UNSAFE_BUFFERS(pkey + 32), 8);
+ CRYPT_SHA256Update(&sha, UNSAFE_TODO(pkey + 32), 8);
if (bOwner)
CRYPT_SHA256Update(&sha, ukey.unsigned_str(), 48);
CRYPT_SHA256Finish(&sha, digest);
@@ -366,14 +358,12 @@
return false;
if (m_Revision >= 6) {
- // TODO(crbug.com/pdfium/2155): investigate safety.
- Revision6_Hash(password, UNSAFE_BUFFERS((const uint8_t*)pkey + 40),
+ Revision6_Hash(password, UNSAFE_TODO((const uint8_t*)pkey + 40),
bOwner ? ukey.unsigned_str() : nullptr, digest);
} else {
CRYPT_SHA256Start(&sha);
CRYPT_SHA256Update(&sha, password.unsigned_str(), password.GetLength());
- // TODO(crbug.com/pdfium/2155): investigate safety.
- CRYPT_SHA256Update(&sha, UNSAFE_BUFFERS(pkey + 40), 8);
+ CRYPT_SHA256Update(&sha, UNSAFE_TODO(pkey + 40), 8);
if (bOwner)
CRYPT_SHA256Update(&sha, ukey.unsigned_str(), 48);
CRYPT_SHA256Finish(&sha, digest);
@@ -396,8 +386,7 @@
uint8_t perms_buf[16] = {};
size_t copy_len =
std::min(sizeof(perms_buf), static_cast<size_t>(perms.GetLength()));
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS(FXSYS_memcpy(perms_buf, perms.unsigned_str(), copy_len));
+ UNSAFE_TODO(FXSYS_memcpy(perms_buf, perms.unsigned_str(), copy_len));
uint8_t buf[16];
CRYPT_AESDecrypt(&aes, buf, perms_buf, 16);
if (buf[9] != 'a' || buf[10] != 'd' || buf[11] != 'b')
@@ -467,8 +456,7 @@
uint8_t ukeybuf[32];
if (m_Revision == 2) {
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS(
+ UNSAFE_TODO(
FXSYS_memcpy(ukeybuf, kDefaultPasscode, sizeof(kDefaultPasscode)));
CRYPT_ArcFourCryptBlock(ukeybuf,
pdfium::make_span(m_EncryptKey).first(m_KeyLen));
@@ -478,13 +466,10 @@
uint8_t test[32] = {};
uint8_t tmpkey[32] = {};
uint32_t copy_len = std::min(sizeof(test), ukey.GetLength());
-
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS(FXSYS_memcpy(test, ukey.c_str(), copy_len));
+ UNSAFE_TODO(FXSYS_memcpy(test, ukey.c_str(), copy_len));
for (int32_t i = 19; i >= 0; i--) {
for (size_t j = 0; j < m_KeyLen; j++) {
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS(tmpkey[j] = m_EncryptKey[j] ^ static_cast<uint8_t>(i));
+ UNSAFE_TODO(tmpkey[j] = m_EncryptKey[j] ^ static_cast<uint8_t>(i));
}
CRYPT_ArcFourCryptBlock(test, pdfium::make_span(tmpkey).first(m_KeyLen));
}
@@ -516,8 +501,7 @@
uint8_t enckey[32] = {};
uint8_t okeybuf[32] = {};
size_t copy_len = std::min(m_KeyLen, sizeof(digest));
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
FXSYS_memcpy(enckey, digest, copy_len);
FXSYS_memcpy(okeybuf, okey.c_str(), okeylen);
});
@@ -529,16 +513,14 @@
for (int32_t i = 19; i >= 0; i--) {
uint8_t tempkey[32] = {};
for (size_t j = 0; j < m_KeyLen; j++) {
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS(tempkey[j] = enckey[j] ^ static_cast<uint8_t>(i));
+ UNSAFE_TODO(tempkey[j] = enckey[j] ^ static_cast<uint8_t>(i));
}
CRYPT_ArcFourCryptBlock(okey_span,
pdfium::make_span(tempkey).first(m_KeyLen));
}
}
size_t len = kRequiredOkeyLength;
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
while (len && kDefaultPasscode[len - 1] == okey_span[len - 1]) {
len--;
}
@@ -603,8 +585,7 @@
false, file_id);
if (m_Revision < 3) {
uint8_t tempbuf[32];
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS(
+ UNSAFE_TODO(
FXSYS_memcpy(tempbuf, kDefaultPasscode, sizeof(kDefaultPasscode)));
CRYPT_ArcFourCryptBlock(tempbuf,
pdfium::make_span(m_EncryptKey).first(key_len));
@@ -623,8 +604,7 @@
uint8_t tempkey[32];
for (uint8_t i = 1; i <= 19; i++) {
for (size_t j = 0; j < key_len; j++) {
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS(tempkey[j] = m_EncryptKey[j] ^ i);
+ UNSAFE_TODO(tempkey[j] = m_EncryptKey[j] ^ i);
}
CRYPT_ArcFourCryptBlock(partial_digest_span,
pdfium::make_span(tempkey).first(key_len));
@@ -657,17 +637,14 @@
CRYPT_SHA256Update(&sha2, digest, 8);
CRYPT_SHA256Finish(&sha2, digest1);
}
- // TODO(crbug.com/pdfium/2155): investigate safety.
- UNSAFE_BUFFERS(FXSYS_memcpy(digest1 + 32, digest, 16));
+ UNSAFE_TODO(FXSYS_memcpy(digest1 + 32, digest, 16));
pEncryptDict->SetNewFor<CPDF_String>("U", ByteString(digest1, 48), false);
if (m_Revision >= 6) {
- // TODO(crbug.com/pdfium/2155): investigate safety.
- Revision6_Hash(password, UNSAFE_BUFFERS(digest + 8), nullptr, digest1);
+ Revision6_Hash(password, UNSAFE_TODO(digest + 8), nullptr, digest1);
} else {
CRYPT_SHA256Start(&sha2);
CRYPT_SHA256Update(&sha2, password.unsigned_str(), password.GetLength());
- // TODO(crbug.com/pdfium/2155): investigate safety.
- CRYPT_SHA256Update(&sha2, UNSAFE_BUFFERS(digest + 8), 8);
+ CRYPT_SHA256Update(&sha2, UNSAFE_TODO(digest + 8), 8);
CRYPT_SHA256Finish(&sha2, digest1);
}
CRYPT_aes_context aes = {};
diff --git a/core/fpdfapi/parser/cpdf_stream_acc.cpp b/core/fpdfapi/parser/cpdf_stream_acc.cpp
index 8b5073b..137ff50 100644
--- a/core/fpdfapi/parser/cpdf_stream_acc.cpp
+++ b/core/fpdfapi/parser/cpdf_stream_acc.cpp
@@ -152,9 +152,8 @@
if (pDecodedData) {
DCHECK_NE(pDecodedData.get(), src_span.data());
// TODO(crbug.com/pdfium/1872): Avoid copying.
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
m_Data = DataVector<uint8_t>(
- pDecodedData.get(), UNSAFE_BUFFERS(pDecodedData.get() + dwDecodedSize));
+ pDecodedData.get(), UNSAFE_TODO(pDecodedData.get() + dwDecodedSize));
} else {
m_Data = std::move(src_data);
}
diff --git a/core/fpdfapi/parser/cpdf_syntax_parser.cpp b/core/fpdfapi/parser/cpdf_syntax_parser.cpp
index 3f04681..2980ecd 100644
--- a/core/fpdfapi/parser/cpdf_syntax_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_syntax_parser.cpp
@@ -750,8 +750,7 @@
if (len >= 0) {
CPDF_ReadValidator::ScopedSession read_session(GetValidator());
m_Pos += ReadEOLMarkers(GetPos());
- // TODO(tsepez): investigate safety.
- UNSAFE_BUFFERS(
+ UNSAFE_TODO(
FXSYS_memset(m_WordBuffer.data(), 0, kEndStreamStr.GetLength() + 1));
GetNextWordInternal();
if (GetValidator()->has_read_problems())
@@ -811,9 +810,7 @@
stream = pdfium::MakeRetain<CPDF_Stream>(std::move(pDict));
}
const FX_FILESIZE end_stream_offset = GetPos();
- // TODO(tsepez): investigate safety.
- UNSAFE_BUFFERS(
- FXSYS_memset(m_WordBuffer.data(), 0, kEndObjStr.GetLength() + 1));
+ UNSAFE_TODO(FXSYS_memset(m_WordBuffer.data(), 0, kEndObjStr.GetLength() + 1));
GetNextWordInternal();
// Allow whitespace after endstream and before a newline.
diff --git a/core/fpdfapi/parser/fpdf_parser_decode.cpp b/core/fpdfapi/parser/fpdf_parser_decode.cpp
index 70d2a8d..caeb684 100644
--- a/core/fpdfapi/parser/fpdf_parser_decode.cpp
+++ b/core/fpdfapi/parser/fpdf_parser_decode.cpp
@@ -158,8 +158,7 @@
continue;
if (ch == 'z') {
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
- UNSAFE_BUFFERS(FXSYS_memset(dest_buf_ptr + *dest_size, 0, 4));
+ UNSAFE_TODO(FXSYS_memset(dest_buf_ptr + *dest_size, 0, 4));
state = 0;
res = 0;
*dest_size += 4;
@@ -177,8 +176,7 @@
}
for (size_t i = 0; i < 4; ++i) {
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
- UNSAFE_BUFFERS(dest_buf_ptr[(*dest_size)++] = GetA85Result(res, i));
+ UNSAFE_TODO(dest_buf_ptr[(*dest_size)++] = GetA85Result(res, i));
}
state = 0;
res = 0;
@@ -188,8 +186,7 @@
for (size_t i = state; i < 5; ++i)
res = res * 85 + 84;
for (size_t i = 0; i < state - 1; ++i) {
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
- UNSAFE_BUFFERS(dest_buf_ptr[(*dest_size)++] = GetA85Result(res, i));
+ UNSAFE_TODO(dest_buf_ptr[(*dest_size)++] = GetA85Result(res, i));
}
}
if (pos < src_span.size() && src_span[pos] == '>')
@@ -228,11 +225,9 @@
int digit = FXSYS_HexCharToInt(ch);
if (bFirst) {
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
- UNSAFE_BUFFERS(dest_buf_ptr[*dest_size] = digit * 16);
+ UNSAFE_TODO(dest_buf_ptr[*dest_size] = digit * 16);
} else {
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
- UNSAFE_BUFFERS(dest_buf_ptr[(*dest_size)++] += digit);
+ UNSAFE_TODO(dest_buf_ptr[(*dest_size)++] += digit);
}
bFirst = !bFirst;
}
diff --git a/core/fpdfapi/parser/fpdf_parser_decode_unittest.cpp b/core/fpdfapi/parser/fpdf_parser_decode_unittest.cpp
index cb9f672..8629a54 100644
--- a/core/fpdfapi/parser/fpdf_parser_decode_unittest.cpp
+++ b/core/fpdfapi/parser/fpdf_parser_decode_unittest.cpp
@@ -290,8 +290,8 @@
std::unique_ptr<uint8_t, FxFreeDeleter> result;
uint32_t result_size = 0;
EXPECT_EQ(test_case.processed_size,
- A85Decode(UNSAFE_BUFFERS(pdfium::make_span(test_case.input,
- test_case.input_size)),
+ A85Decode(UNSAFE_TODO(pdfium::make_span(test_case.input,
+ test_case.input_size)),
&result, &result_size))
<< "for case " << test_case.input;
ASSERT_EQ(test_case.expected_size, result_size);
@@ -326,8 +326,8 @@
std::unique_ptr<uint8_t, FxFreeDeleter> result;
uint32_t result_size = 0;
EXPECT_EQ(test_case.processed_size,
- HexDecode(UNSAFE_BUFFERS(pdfium::make_span(test_case.input,
- test_case.input_size)),
+ HexDecode(UNSAFE_TODO(pdfium::make_span(test_case.input,
+ test_case.input_size)),
&result, &result_size))
<< "for case " << test_case.input;
ASSERT_EQ(test_case.expected_size, result_size);
diff --git a/core/fpdfdoc/cpdf_interactiveform.cpp b/core/fpdfdoc/cpdf_interactiveform.cpp
index fdffed2..270cd5e 100644
--- a/core/fpdfdoc/cpdf_interactiveform.cpp
+++ b/core/fpdfdoc/cpdf_interactiveform.cpp
@@ -86,8 +86,7 @@
0);
::ReleaseDC(nullptr, hDC);
if (fd.bFind) {
- // TODO(tsepez): investigate safety.
- UNSAFE_BUFFERS(FXSYS_memcpy(&lf, &fd.lf, sizeof(LOGFONTA)));
+ UNSAFE_TODO(FXSYS_memcpy(&lf, &fd.lf, sizeof(LOGFONTA)));
}
return fd.bFind;
}
@@ -123,8 +122,7 @@
bRet = RetrieveSpecificFont(charSet, nullptr, lf);
if (bRet) {
if (pLogFont) {
- // TODO(tsepez): investigate safety.
- UNSAFE_BUFFERS(FXSYS_memcpy(pLogFont, &lf, sizeof(LOGFONTA)));
+ UNSAFE_TODO(FXSYS_memcpy(pLogFont, &lf, sizeof(LOGFONTA)));
}
csFontName = lf.lfFaceName;
}
diff --git a/core/fpdftext/cpdf_textpage.cpp b/core/fpdftext/cpdf_textpage.cpp
index 1e5d1c3..45584fc 100644
--- a/core/fpdftext/cpdf_textpage.cpp
+++ b/core/fpdftext/cpdf_textpage.cpp
@@ -80,8 +80,7 @@
}
DataVector<wchar_t> GetUnicodeNormalization(wchar_t wch) {
- // TODO(crbug.com/pdfium/2155): resolve safety issues.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
wch = wch & 0xFFFF;
wchar_t wFind = kUnicodeDataNormalization[wch];
if (!wFind) {
diff --git a/core/fpdftext/cpdf_textpagefind.cpp b/core/fpdftext/cpdf_textpagefind.cpp
index 4bf9f63..5b77686 100644
--- a/core/fpdftext/cpdf_textpagefind.cpp
+++ b/core/fpdftext/cpdf_textpagefind.cpp
@@ -94,9 +94,7 @@
std::optional<WideString> ExtractSubString(const wchar_t* lpszFullString,
int iSubString) {
DCHECK(lpszFullString);
-
- // TODO(crbug.com/pdfium/2155): resolve safety issues.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
while (iSubString--) {
lpszFullString = wcschr(lpszFullString, L' ');
if (!lpszFullString) {
diff --git a/core/fxcodec/flate/flatemodule_unittest.cpp b/core/fxcodec/flate/flatemodule_unittest.cpp
index eab66c5..c5bb058 100644
--- a/core/fxcodec/flate/flatemodule_unittest.cpp
+++ b/core/fxcodec/flate/flatemodule_unittest.cpp
@@ -44,8 +44,7 @@
EXPECT_EQ(
data.processed_size,
FlateModule::FlateOrLZWDecode(
- false,
- UNSAFE_BUFFERS(pdfium::make_span(data.input, data.input_size)),
+ false, UNSAFE_TODO(pdfium::make_span(data.input, data.input_size)),
false, 0, 0, 0, 0, 0, &buf, &buf_size))
<< " for case " << i;
ASSERT_TRUE(buf);
@@ -80,7 +79,7 @@
for (size_t i = 0; i < std::size(flate_encode_cases); ++i) {
const pdfium::StrFuncTestData& data = flate_encode_cases[i];
DataVector<uint8_t> result = FlateModule::Encode(
- UNSAFE_BUFFERS(pdfium::make_span(data.input, data.input_size)));
+ UNSAFE_TODO(pdfium::make_span(data.input, data.input_size)));
EXPECT_EQ(data.expected_size, result.size()) << " for case " << i;
if (data.expected_size != result.size()) {
continue;
diff --git a/core/fxcodec/jpx/jpx_decode_utils.cpp b/core/fxcodec/jpx/jpx_decode_utils.cpp
index 0899c84..54d65cf 100644
--- a/core/fxcodec/jpx/jpx_decode_utils.cpp
+++ b/core/fxcodec/jpx/jpx_decode_utils.cpp
@@ -26,8 +26,7 @@
if (srcData->offset >= srcData->src_size)
return static_cast<OPJ_SIZE_T>(-1);
- // TODO(crbug.com/pdfium/2155): resolve safety issues.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
OPJ_SIZE_T bufferLength = srcData->src_size - srcData->offset;
OPJ_SIZE_T readlength = nb_bytes < bufferLength ? nb_bytes : bufferLength;
FXSYS_memcpy(p_buffer, &srcData->src_data[srcData->offset], readlength);
diff --git a/core/fxcodec/jpx/jpx_unittest.cpp b/core/fxcodec/jpx/jpx_unittest.cpp
index 1432080..419f6f5 100644
--- a/core/fxcodec/jpx/jpx_unittest.cpp
+++ b/core/fxcodec/jpx/jpx_unittest.cpp
@@ -428,8 +428,7 @@
u.data = static_cast<OPJ_INT32*>(
opj_image_data_alloc(u.w * u.h * sizeof(OPJ_INT32)));
- // TODO(crbug.com/pdfium/2155): resolve safety issues.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
FXSYS_memset(y.data, 1, y.w * y.h * sizeof(OPJ_INT32));
FXSYS_memset(u.data, 0, u.w * u.h * sizeof(OPJ_INT32));
FXSYS_memset(v.data, 0, v.w * v.h * sizeof(OPJ_INT32));
diff --git a/core/fxcrt/cfx_bitstream_unittest.cpp b/core/fxcrt/cfx_bitstream_unittest.cpp
index 4522acf..64cc928 100644
--- a/core/fxcrt/cfx_bitstream_unittest.cpp
+++ b/core/fxcrt/cfx_bitstream_unittest.cpp
@@ -14,8 +14,7 @@
uint32_t ReferenceGetBits32(const uint8_t* pData, int bitpos, int nbits) {
int result = 0;
- // TODO(tsepez): make safe.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
for (int i = 0; i < nbits; i++) {
if (pData[(bitpos + i) / 8] & (1 << (7 - (bitpos + i) % 8))) {
result |= 1 << (nbits - i - 1);
@@ -168,7 +167,7 @@
constexpr size_t kAllocationBytes = std::numeric_limits<size_t>::max() / 8;
constexpr size_t kAllocationBits = kAllocationBytes * 8;
- // SAFETY: not safe, see above.
+ // SAFETY: intentionally not safe, see above.
CFX_BitStream bitstream(
UNSAFE_BUFFERS(pdfium::make_span(kNotReallyBigEnough, kAllocationBytes)));
EXPECT_FALSE(bitstream.IsEOF());
diff --git a/core/fxcrt/compiler_specific.h b/core/fxcrt/compiler_specific.h
index eac87b0..eb00fc4 100644
--- a/core/fxcrt/compiler_specific.h
+++ b/core/fxcrt/compiler_specific.h
@@ -96,4 +96,9 @@
#endif
// clang-format on
+// Like UNSAFE_BUFFERS(), but indicates there is a TODO() task to
+// investigate safety,
+// TODO(crbug.com/pdfium/2155): remove all usage.
+#define UNSAFE_TODO(...) UNSAFE_BUFFERS(__VA_ARGS__)
+
#endif // CORE_FXCRT_COMPILER_SPECIFIC_H_
diff --git a/core/fxcrt/fx_extension.cpp b/core/fxcrt/fx_extension.cpp
index 8a12e8f..64dcc11 100644
--- a/core/fxcrt/fx_extension.cpp
+++ b/core/fxcrt/fx_extension.cpp
@@ -41,12 +41,13 @@
return result;
}
+// TODO(tsepez): should be UNSAFE_BUFFER_USAGE.
wchar_t* FXSYS_wcsncpy(wchar_t* dstStr, const wchar_t* srcStr, size_t count) {
DCHECK(dstStr);
DCHECK(srcStr);
DCHECK(count > 0);
- // SAFETY: TODO(tsepez): This is UNSAFE_BUFFER_USAGE as well.
+ // SAFETY: required from caller.
UNSAFE_BUFFERS({
for (size_t i = 0; i < count; ++i) {
dstStr[i] = srcStr[i];
@@ -58,23 +59,26 @@
return dstStr;
}
+// TODO(tsepez): should be UNSAFE_BUFFER_USAGE.
void FXSYS_IntToTwoHexChars(uint8_t n, char* buf) {
static const char kHex[] = "0123456789ABCDEF";
- // SAFETY: TODO(tsepez): This is UNSAFE_BUFFER_USAGE as well.
+ // SAFETY: range of uint8_t keeps indices in bound.
UNSAFE_BUFFERS({
buf[0] = kHex[n / 16];
buf[1] = kHex[n % 16];
});
}
+// TODO(tsepez): This is UNSAFE_BUFFER_USAGE as well.
void FXSYS_IntToFourHexChars(uint16_t n, char* buf) {
- // SAFETY: TODO(tsepez): This is UNSAFE_BUFFER_USAGE as well.
+ // SAFETY: required from caller.
UNSAFE_BUFFERS({
FXSYS_IntToTwoHexChars(n / 256, buf);
FXSYS_IntToTwoHexChars(n % 256, buf + 2);
});
}
+// TODO(tsepez): This is UNSAFE_BUFFER_USAGE as well.
size_t FXSYS_ToUTF16BE(uint32_t unicode, char* buf) {
DCHECK(unicode <= pdfium::kMaximumSupplementaryCodePoint);
DCHECK(!pdfium::IsHighSurrogate(unicode));
@@ -84,7 +88,7 @@
FXSYS_IntToFourHexChars(unicode, buf);
return 4;
}
- // SAFETY: TODO(tsepez): This is UNSAFE_BUFFER_USAGE as well.
+ // SAFETY: required from caller.
UNSAFE_BUFFERS({
pdfium::SurrogatePair surrogate_pair(unicode);
FXSYS_IntToFourHexChars(surrogate_pair.high(), buf);
diff --git a/core/fxcrt/fx_extension_unittest.cpp b/core/fxcrt/fx_extension_unittest.cpp
index 809c77e..9cbfa75 100644
--- a/core/fxcrt/fx_extension_unittest.cpp
+++ b/core/fxcrt/fx_extension_unittest.cpp
@@ -228,8 +228,7 @@
const float fNan = std::numeric_limits<float>::quiet_NaN();
const float ascending[] = {fMin, 1.0f, 2.0f, fMax, fInf, fNan};
- // TODO(tsepez): make safe.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
for (size_t i = 0; i < std::size(ascending); ++i) {
for (size_t j = 0; j < std::size(ascending); ++j) {
if (i == j) {
diff --git a/core/fxcrt/fx_memory_unittest.cpp b/core/fxcrt/fx_memory_unittest.cpp
index 2afd651..e9d5425 100644
--- a/core/fxcrt/fx_memory_unittest.cpp
+++ b/core/fxcrt/fx_memory_unittest.cpp
@@ -105,8 +105,7 @@
uint8_t* ptr = FX_Alloc(uint8_t, 32);
ASSERT_TRUE(ptr);
for (size_t i = 0; i < 32; ++i) {
- // TODO(tsepez): make safe.
- EXPECT_EQ(0, UNSAFE_BUFFERS(ptr[i]));
+ EXPECT_EQ(0, UNSAFE_TODO(ptr[i]));
}
FX_Free(ptr);
}
diff --git a/core/fxcrt/fx_system.cpp b/core/fxcrt/fx_system.cpp
index 7661c4d..f9b4037 100644
--- a/core/fxcrt/fx_system.cpp
+++ b/core/fxcrt/fx_system.cpp
@@ -63,20 +63,19 @@
template <typename T, typename UT, typename STR_T>
STR_T FXSYS_IntToStr(T value, STR_T str, int radix) {
- // SAFETY: TODO(tsepez): investigate safety throughout.
if (radix < 2 || radix > 16) {
str[0] = 0;
return str;
}
if (value == 0) {
str[0] = '0';
- UNSAFE_BUFFERS(str[1]) = 0;
+ UNSAFE_TODO(str[1]) = 0;
return str;
}
int i = 0;
UT uvalue;
if (value < 0) {
- UNSAFE_BUFFERS(str[i++]) = '-';
+ UNSAFE_TODO(str[i++]) = '-';
// Standard trick to avoid undefined behaviour when negating INT_MIN.
uvalue = static_cast<UT>(-(value + 1)) + 1;
} else {
@@ -89,10 +88,10 @@
order = order / radix;
}
for (int d = digits - 1; d > -1; d--) {
- UNSAFE_BUFFERS(str[d + i] = "0123456789abcdef"[uvalue % radix]);
+ UNSAFE_TODO(str[d + i] = "0123456789abcdef"[uvalue % radix]);
uvalue /= radix;
}
- UNSAFE_BUFFERS(str[digits + i]) = 0;
+ UNSAFE_TODO(str[digits + i]) = 0;
return str;
}
diff --git a/core/fxcrt/fx_system_unittest.cpp b/core/fxcrt/fx_system_unittest.cpp
index 681fad8..359b271 100644
--- a/core/fxcrt/fx_system_unittest.cpp
+++ b/core/fxcrt/fx_system_unittest.cpp
@@ -25,8 +25,7 @@
void Check32BitBase16Itoa(int32_t input, const char* expected_output) {
const size_t kBufLen = 11; // "-" + 8 digits + NUL + sentinel.
char buf[kBufLen];
- // TODO(tsepez): make safe.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
buf[kBufLen - 1] = kSentinel;
FXSYS_itoa(input, buf, 16);
EXPECT_STREQ(expected_output, buf);
@@ -37,8 +36,7 @@
void Check32BitBase10Itoa(int32_t input, const char* expected_output) {
const size_t kBufLen = 13; // "-" + 10 digits + NUL + sentinel.
char buf[kBufLen];
- // TODO(tsepez): make safe.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
buf[kBufLen - 1] = kSentinel;
FXSYS_itoa(input, buf, 10);
EXPECT_STREQ(expected_output, buf);
@@ -49,8 +47,7 @@
void Check32BitBase2Itoa(int32_t input, const char* expected_output) {
const size_t kBufLen = 35; // "-" + 32 digits + NUL + sentinel.
char buf[kBufLen];
- // TODO(tsepez): make safe.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
buf[kBufLen - 1] = kSentinel;
FXSYS_itoa(input, buf, 2);
EXPECT_STREQ(expected_output, buf);
@@ -61,8 +58,7 @@
void Check64BitBase16Itoa(int64_t input, const char* expected_output) {
const size_t kBufLen = 19; // "-" + 16 digits + NUL + sentinel.
char buf[kBufLen];
- // TODO(tsepez): make safe.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
buf[kBufLen - 1] = kSentinel;
FXSYS_i64toa(input, buf, 16);
EXPECT_STREQ(expected_output, buf);
@@ -73,8 +69,7 @@
void Check64BitBase10Itoa(int64_t input, const char* expected_output) {
const size_t kBufLen = 22; // "-" + 19 digits + NUL + sentinel.
char buf[kBufLen];
- // TODO(tsepez): make safe.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
buf[kBufLen - 1] = kSentinel;
FXSYS_i64toa(input, buf, 10);
EXPECT_STREQ(expected_output, buf);
@@ -85,8 +80,7 @@
void Check64BitBase2Itoa(int64_t input, const char* expected_output) {
const size_t kBufLen = 67; // "-" + 64 digits + NUL + sentinel.
char buf[kBufLen];
- // TODO(tsepez): make safe.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
buf[kBufLen - 1] = kSentinel;
FXSYS_i64toa(input, buf, 2);
EXPECT_STREQ(expected_output, buf);
diff --git a/core/fxcrt/widestring.cpp b/core/fxcrt/widestring.cpp
index 60e11f1..65bac9a 100644
--- a/core/fxcrt/widestring.cpp
+++ b/core/fxcrt/widestring.cpp
@@ -59,8 +59,7 @@
std::optional<size_t> GuessSizeForVSWPrintf(const wchar_t* pFormat,
va_list argList) {
size_t nMaxLen = 0;
- // SAFETY: TODO(tsepez): investigate lack of safety.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
for (const wchar_t* pStr = pFormat; *pStr != 0; pStr++) {
if (*pStr != '%' || *(pStr = pStr + 1) == '%') {
++nMaxLen;
diff --git a/core/fxcrt/widestring_unittest.cpp b/core/fxcrt/widestring_unittest.cpp
index fa7284f..7b89ca2 100644
--- a/core/fxcrt/widestring_unittest.cpp
+++ b/core/fxcrt/widestring_unittest.cpp
@@ -1021,8 +1021,7 @@
WideString str2(L"cl");
{
pdfium::span<wchar_t> buffer = str2.GetBuffer(12);
- // TODO(tsepez): make safe.
- UNSAFE_BUFFERS(wcscpy(buffer.data() + 2, L"ams"));
+ UNSAFE_TODO(wcscpy(buffer.data() + 2, L"ams"));
}
str2.ReleaseBuffer(str2.GetStringLength());
EXPECT_EQ(L"clams", str2);
@@ -1256,9 +1255,7 @@
{ByteString(" &", 2), L"…"},
{ByteString("\xD8\x3C\xDF\xA8", 4), L"🎨"},
};
-
- // TODO(tsepez): make safe.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
for (size_t i = 0; i < std::size(utf16be_decode_cases); ++i) {
EXPECT_EQ(
WideString::FromUTF16BE(utf16be_decode_cases[i].in.unsigned_span()),
@@ -1279,9 +1276,7 @@
{ByteString("& ", 2), L"…"},
{ByteString("\x3C\xD8\xA8\xDF", 4), L"🎨"},
};
-
- // TODO(tsepez): make safe.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
for (size_t i = 0; i < std::size(utf16le_decode_cases); ++i) {
EXPECT_EQ(
WideString::FromUTF16LE(utf16le_decode_cases[i].in.unsigned_span()),
@@ -1304,9 +1299,7 @@
{L"\x3132\x6162", ByteString("\x32\x31\x62\x61\0\0", 6)},
{L"🎨", ByteString("\x3C\xD8\xA8\xDF\0\0", 6)},
};
-
- // TODO(tsepez): make safe.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
for (size_t i = 0; i < std::size(utf16le_encode_cases); ++i) {
EXPECT_EQ(utf16le_encode_cases[i].bs,
utf16le_encode_cases[i].ws.ToUTF16LE())
@@ -1330,9 +1323,7 @@
{L"🎨", ByteString("\0\0", 2)},
#endif
};
-
- // TODO(tsepez): make safe.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
for (size_t i = 0; i < std::size(ucs2le_encode_cases); ++i) {
EXPECT_EQ(ucs2le_encode_cases[i].bs, ucs2le_encode_cases[i].ws.ToUCS2LE())
<< " for case number " << i;
diff --git a/core/fxge/cfx_face.cpp b/core/fxge/cfx_face.cpp
index e1d30ee..737dd0f 100644
--- a/core/fxge/cfx_face.cpp
+++ b/core/fxge/cfx_face.cpp
@@ -385,6 +385,7 @@
#endif
pdfium::span<uint8_t> CFX_Face::GetData() const {
+ // TODO(tsepez): justify safety from library API.
return UNSAFE_BUFFERS(
pdfium::make_span(GetRec()->stream->base, GetRec()->stream->size));
}
diff --git a/core/fxge/dib/cfx_dibitmap.cpp b/core/fxge/dib/cfx_dibitmap.cpp
index d065266..e6edbf3 100644
--- a/core/fxge/dib/cfx_dibitmap.cpp
+++ b/core/fxge/dib/cfx_dibitmap.cpp
@@ -95,8 +95,7 @@
if (!m_pBuffer)
return pdfium::span<const uint8_t>();
- // TODO(tsepez): investigate safety.
- return UNSAFE_BUFFERS(pdfium::make_span(m_pBuffer.Get(), m_Height * m_Pitch));
+ return UNSAFE_TODO(pdfium::make_span(m_pBuffer.Get(), m_Height * m_Pitch));
}
pdfium::span<const uint8_t> CFX_DIBitmap::GetScanline(int line) const {
diff --git a/fpdfsdk/cpdfsdk_appstream.cpp b/fpdfsdk/cpdfsdk_appstream.cpp
index 57d36c3..55cc243 100644
--- a/fpdfsdk/cpdfsdk_appstream.cpp
+++ b/fpdfsdk/cpdfsdk_appstream.cpp
@@ -206,17 +206,17 @@
for (size_t i = 0; i < std::size(pts); ++i) {
for (size_t j = 0; j < std::size(pts[0]); ++j) {
- // TODO(crbug.com/pdfium/2155): resolve safety issues.
- UNSAFE_BUFFERS(pts[i][j].x = pts[i][j].x * fWidth + crBBox.left);
- UNSAFE_BUFFERS(pts[i][j].y *= pts[i][j].y * fHeight + crBBox.bottom);
+ UNSAFE_TODO({
+ pts[i][j].x = pts[i][j].x * fWidth + crBBox.left;
+ pts[i][j].y *= pts[i][j].y * fHeight + crBBox.bottom;
+ });
}
}
fxcrt::ostringstream csAP;
WriteMove(csAP, pts[0][0]);
- // TODO(crbug.com/pdfium/2155): resolve safety issues.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
for (size_t i = 0; i < std::size(pts); ++i) {
size_t nNext = i < std::size(pts) - 1 ? i + 1 : 0;
const CFX_PointF& pt_next = pts[nNext][0];
@@ -334,8 +334,7 @@
int next = 0;
for (size_t i = 0; i < std::size(points); ++i) {
next = (next + 2) % std::size(points);
- // TODO(crbug.com/pdfium/2155): resolve safety issues.
- WriteLine(csAP, UNSAFE_BUFFERS(points[next]));
+ WriteLine(csAP, UNSAFE_TODO(points[next]));
}
return ByteString(csAP);
diff --git a/fpdfsdk/cpdfsdk_helpers_unittest.cpp b/fpdfsdk/cpdfsdk_helpers_unittest.cpp
index db5c85a..85fbb0a 100644
--- a/fpdfsdk/cpdfsdk_helpers_unittest.cpp
+++ b/fpdfsdk/cpdfsdk_helpers_unittest.cpp
@@ -26,8 +26,8 @@
fxcrt::spanset(pdfium::make_span(buf), 0x42);
ASSERT_EQ(kExpectedToBeCopiedLen + 1,
NulTerminateMaybeCopyAndReturnLength(
- to_be_copied, UNSAFE_BUFFERS(pdfium::make_span(
- buf, kExpectedToBeCopiedLen))));
+ to_be_copied,
+ UNSAFE_TODO(pdfium::make_span(buf, kExpectedToBeCopiedLen))));
for (char c : buf)
EXPECT_EQ(0x42, c);
diff --git a/fpdfsdk/fpdf_annot.cpp b/fpdfsdk/fpdf_annot.cpp
index 14e708d..637f9c7 100644
--- a/fpdfsdk/fpdf_annot.cpp
+++ b/fpdfsdk/fpdf_annot.cpp
@@ -519,9 +519,8 @@
auto ink_coord_list = inklist->AppendNew<CPDF_Array>();
for (size_t i = 0; i < point_count; i++) {
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
- ink_coord_list->AppendNew<CPDF_Number>(UNSAFE_BUFFERS(points[i].x));
- ink_coord_list->AppendNew<CPDF_Number>(UNSAFE_BUFFERS(points[i].y));
+ ink_coord_list->AppendNew<CPDF_Number>(UNSAFE_TODO(points[i].x));
+ ink_coord_list->AppendNew<CPDF_Number>(UNSAFE_TODO(points[i].y));
}
return static_cast<int>(inklist->size() - 1);
}
@@ -878,9 +877,8 @@
fxcrt::CollectionSize<unsigned long>(*vertices) / 2;
if (buffer && length >= points_len) {
for (unsigned long i = 0; i < points_len; ++i) {
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
- UNSAFE_BUFFERS(buffer[i].x) = vertices->GetFloatAt(i * 2);
- UNSAFE_BUFFERS(buffer[i].y) = vertices->GetFloatAt(i * 2 + 1);
+ UNSAFE_TODO(buffer[i].x) = vertices->GetFloatAt(i * 2);
+ UNSAFE_TODO(buffer[i].y) = vertices->GetFloatAt(i * 2 + 1);
}
}
return points_len;
@@ -910,9 +908,8 @@
fxcrt::CollectionSize<unsigned long>(*path) / 2;
if (buffer && length >= points_len) {
for (unsigned long i = 0; i < points_len; ++i) {
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
- UNSAFE_BUFFERS(buffer[i].x) = path->GetFloatAt(i * 2);
- UNSAFE_BUFFERS(buffer[i].y) = path->GetFloatAt(i * 2 + 1);
+ UNSAFE_TODO(buffer[i].x) = path->GetFloatAt(i * 2);
+ UNSAFE_TODO(buffer[i].y) = path->GetFloatAt(i * 2 + 1);
}
}
return points_len;
@@ -1069,8 +1066,7 @@
"length of kModeKeyForMode should be equal to "
"FPDF_ANNOT_APPEARANCEMODE_COUNT");
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
- const char* mode_key = UNSAFE_BUFFERS(kModeKeyForMode[appearanceMode]);
+ const char* mode_key = UNSAFE_TODO(kModeKeyForMode[appearanceMode]);
RetainPtr<CPDF_Dictionary> pApDict =
pAnnotDict->GetMutableDictFor(pdfium::annotation::kAP);
@@ -1391,9 +1387,8 @@
std::vector<CPDF_Annot::Subtype> focusable_annot_types;
focusable_annot_types.reserve(count);
for (size_t i = 0; i < count; ++i) {
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
focusable_annot_types.push_back(
- static_cast<CPDF_Annot::Subtype>(UNSAFE_BUFFERS(subtypes[i])));
+ static_cast<CPDF_Annot::Subtype>(UNSAFE_TODO(subtypes[i])));
}
pFormFillEnv->SetFocusableAnnotSubtypes(focusable_annot_types);
@@ -1431,9 +1426,8 @@
return false;
for (size_t i = 0; i < focusable_annot_types.size(); ++i) {
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
- UNSAFE_BUFFERS(subtypes[i] = static_cast<FPDF_ANNOTATION_SUBTYPE>(
- focusable_annot_types[i]));
+ UNSAFE_TODO(subtypes[i] = static_cast<FPDF_ANNOTATION_SUBTYPE>(
+ focusable_annot_types[i]));
}
return true;
@@ -1483,7 +1477,7 @@
// SAFETY: required from caller.
return Utf16EncodeMaybeCopyAndReturnLength(
pWidget->GetExportValue(),
- UNSAFE_BUFFERS(SpanFromFPDFApiArgs(buffer, buflen)));
+ UNSAFE_TODO(SpanFromFPDFApiArgs(buffer, buflen)));
}
FPDF_EXPORT FPDF_BOOL FPDF_CALLCONV FPDFAnnot_SetURI(FPDF_ANNOTATION annot,
diff --git a/fpdfsdk/fpdf_attachment.cpp b/fpdfsdk/fpdf_attachment.cpp
index 6fc9671..85ba9fb 100644
--- a/fpdfsdk/fpdf_attachment.cpp
+++ b/fpdfsdk/fpdf_attachment.cpp
@@ -51,9 +51,7 @@
char buf[32];
for (int i = 0; i < 16; ++i) {
- // TODO(crbug.com/pdfium/2155): resolve safety issues.
- FXSYS_IntToTwoHexChars(UNSAFE_BUFFERS(digest[i]),
- UNSAFE_BUFFERS(&buf[i * 2]));
+ FXSYS_IntToTwoHexChars(UNSAFE_TODO(digest[i]), UNSAFE_TODO(&buf[i * 2]));
}
return ByteString(buf, 32);
}
@@ -262,10 +260,9 @@
// Create the file stream and have the filespec dictionary link to it.
const uint8_t* contents_as_bytes = static_cast<const uint8_t*>(contents);
- // TODO(crbug.com/pdfium/2155): resolve safety issues.
auto pFileStream = pDoc->NewIndirect<CPDF_Stream>(
DataVector<uint8_t>(contents_as_bytes,
- UNSAFE_BUFFERS(contents_as_bytes + len)),
+ UNSAFE_TODO(contents_as_bytes + len)),
std::move(pFileStreamDict));
auto pEFDict = pFile->AsMutableDictionary()->SetNewFor<CPDF_Dictionary>("EF");
diff --git a/fpdfsdk/fpdf_doc.cpp b/fpdfsdk/fpdf_doc.cpp
index 570fa31..b16b9b7 100644
--- a/fpdfsdk/fpdf_doc.cpp
+++ b/fpdfsdk/fpdf_doc.cpp
@@ -273,8 +273,7 @@
DCHECK(nParams <= 4);
*pNumParams = nParams;
for (unsigned long i = 0; i < nParams; ++i) {
- // TODO(crbug.com/pdfium/2155): resolve safety issues.
- UNSAFE_BUFFERS(pParams[i] = destination.GetParam(i));
+ UNSAFE_TODO(pParams[i]) = destination.GetParam(i);
}
return destination.GetZoomMode();
}
diff --git a/fpdfsdk/fpdf_edit_embeddertest.cpp b/fpdfsdk/fpdf_edit_embeddertest.cpp
index 2a3b524..d63b948 100644
--- a/fpdfsdk/fpdf_edit_embeddertest.cpp
+++ b/fpdfsdk/fpdf_edit_embeddertest.cpp
@@ -4054,8 +4054,7 @@
// - blob "BlobKey": "\x01\x02\x03\0BlobValue1\0\0\0BlobValue2\0"
constexpr size_t kBlobLen = 28;
char block_value[kBlobLen];
- // TODO(tsepez): investigate safety.
- UNSAFE_BUFFERS(FXSYS_memcpy(
+ UNSAFE_TODO(FXSYS_memcpy(
block_value, "\x01\x02\x03\0BlobValue1\0\0\0BlobValue2\0", kBlobLen));
EXPECT_EQ(0, FPDFPageObjMark_CountParams(mark));
EXPECT_TRUE(
diff --git a/fpdfsdk/fpdf_editimg.cpp b/fpdfsdk/fpdf_editimg.cpp
index ab75757..479c6eb 100644
--- a/fpdfsdk/fpdf_editimg.cpp
+++ b/fpdfsdk/fpdf_editimg.cpp
@@ -93,8 +93,7 @@
if (pages) {
for (int index = 0; index < count; index++) {
- // TODO(crbug.com/pdfium/2155): resolve safety issues.
- CPDF_Page* pPage = CPDFPageFromFPDFPage(UNSAFE_BUFFERS(pages[index]));
+ CPDF_Page* pPage = CPDFPageFromFPDFPage(UNSAFE_TODO(pages[index]));
if (pPage) {
pImgObj->GetImage()->ResetCache(pPage);
}
@@ -175,8 +174,7 @@
if (pages) {
for (int index = 0; index < count; index++) {
- // TODO(crbug.com/pdfium/2155): resolve safety issues.
- CPDF_Page* pPage = CPDFPageFromFPDFPage(UNSAFE_BUFFERS(pages[index]));
+ CPDF_Page* pPage = CPDFPageFromFPDFPage(UNSAFE_TODO(pages[index]));
if (pPage) {
pImgObj->GetImage()->ResetCache(pPage);
}
diff --git a/fpdfsdk/fpdf_editpage.cpp b/fpdfsdk/fpdf_editpage.cpp
index 7fa4fe1..e6ff79a 100644
--- a/fpdfsdk/fpdf_editpage.cpp
+++ b/fpdfsdk/fpdf_editpage.cpp
@@ -1013,8 +1013,7 @@
std::vector<float> dashes;
if (dash_count > 0) {
dashes.reserve(dash_count);
- // TODO(crbug.com/pdfium/2155): resolve safety issues.
- dashes.assign(dash_array, UNSAFE_BUFFERS(dash_array + dash_count));
+ dashes.assign(dash_array, UNSAFE_TODO(dash_array + dash_count));
}
pPageObj->mutable_graph_state().SetLineDash(dashes, phase, 1.0f);
pPageObj->SetDirty(true);
diff --git a/fpdfsdk/fpdf_edittext.cpp b/fpdfsdk/fpdf_edittext.cpp
index f9d16ea..fe52b92 100644
--- a/fpdfsdk/fpdf_edittext.cpp
+++ b/fpdfsdk/fpdf_edittext.cpp
@@ -618,8 +618,7 @@
ByteString byte_text;
if (charcodes) {
for (size_t i = 0; i < count; ++i) {
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
- pTextObj->GetFont()->AppendChar(&byte_text, UNSAFE_BUFFERS(charcodes[i]));
+ pTextObj->GetFont()->AppendChar(&byte_text, UNSAFE_TODO(charcodes[i]));
}
}
pTextObj->SetText(byte_text);
diff --git a/fpdfsdk/fpdf_javascript_embeddertest.cpp b/fpdfsdk/fpdf_javascript_embeddertest.cpp
index c5fa0d8..8810754 100644
--- a/fpdfsdk/fpdf_javascript_embeddertest.cpp
+++ b/fpdfsdk/fpdf_javascript_embeddertest.cpp
@@ -82,8 +82,7 @@
// The result buffer should be overwritten with an empty string.
std::vector<FPDF_WCHAR> buf = GetFPDFWideStringBuffer(kExpectedLength);
// Write in the buffer to verify it's not overwritten.
- // TODO(tsepez): investigate safety.
- UNSAFE_BUFFERS(FXSYS_memcpy(buf.data(), "abcdefgh", 8));
+ UNSAFE_TODO(FXSYS_memcpy(buf.data(), "abcdefgh", 8));
EXPECT_EQ(kExpectedLength, FPDFJavaScriptAction_GetName(js.get(), buf.data(),
kExpectedLength - 1));
EXPECT_EQ(0, memcmp(buf.data(), "abcdefgh", 8));
@@ -113,8 +112,7 @@
// small. The result buffer should be overwritten with an empty string.
std::vector<FPDF_WCHAR> buf = GetFPDFWideStringBuffer(kExpectedLength);
// Write in the buffer to verify it's not overwritten.
- // TODO(tsepez): investigate safety.
- UNSAFE_BUFFERS(FXSYS_memcpy(buf.data(), "abcdefgh", 8));
+ UNSAFE_TODO(FXSYS_memcpy(buf.data(), "abcdefgh", 8));
EXPECT_EQ(kExpectedLength, FPDFJavaScriptAction_GetScript(
js.get(), buf.data(), kExpectedLength - 1));
EXPECT_EQ(0, memcmp(buf.data(), "abcdefgh", 8));
diff --git a/fpdfsdk/fpdf_ppo.cpp b/fpdfsdk/fpdf_ppo.cpp
index a4faaa4..266d021 100644
--- a/fpdfsdk/fpdf_ppo.cpp
+++ b/fpdfsdk/fpdf_ppo.cpp
@@ -739,8 +739,7 @@
if (length == 0) {
return false;
}
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
- auto page_span = UNSAFE_BUFFERS(pdfium::make_span(
+ auto page_span = UNSAFE_TODO(pdfium::make_span(
reinterpret_cast<const uint32_t*>(page_indices), length));
return exporter.ExportPage(page_span, index);
}
diff --git a/fpdfsdk/fpdf_signature.cpp b/fpdfsdk/fpdf_signature.cpp
index 5061f42..48ecf06 100644
--- a/fpdfsdk/fpdf_signature.cpp
+++ b/fpdfsdk/fpdf_signature.cpp
@@ -114,8 +114,7 @@
fxcrt::CollectionSize<unsigned long>(*byte_range);
if (buffer && length >= byte_range_len) {
for (size_t i = 0; i < byte_range_len; ++i) {
- // TODO(crbug.com/pdfium/2155): resolve safety issue.
- UNSAFE_BUFFERS(buffer[i] = byte_range->GetIntegerAt(i));
+ UNSAFE_TODO(buffer[i]) = byte_range->GetIntegerAt(i);
}
}
return byte_range_len;
diff --git a/fxjs/cjs_publicmethods.cpp b/fxjs/cjs_publicmethods.cpp
index 9d2b683..debb3d8 100644
--- a/fxjs/cjs_publicmethods.cpp
+++ b/fxjs/cjs_publicmethods.cpp
@@ -265,8 +265,7 @@
bool bDot = false;
bool bKXJS = false;
- // TODO(tsepez): fix UNSAFE usage.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
wchar_t c;
while ((c = *p) != L'\0') {
if (IsDigitSeparatorOrDecimalMark(c)) {
@@ -331,8 +330,7 @@
int nIndex = 0;
v8::Local<v8::Array> StrArray = pRuntime->NewArray();
- // TODO(tsepez): fix UNSAFE usage.
- UNSAFE_BUFFERS({
+ UNSAFE_TODO({
while (*p) {
const char* pTemp = strchr(p, ',');
if (!pTemp) {
diff --git a/testing/pdfium_test.cc b/testing/pdfium_test.cc
index 6f8dcab..5246d05 100644
--- a/testing/pdfium_test.cc
+++ b/testing/pdfium_test.cc
@@ -957,7 +957,7 @@
if (md5) {
// Write the filename and the MD5 of the buffer to stdout.
OutputMD5Hash(image_file_name.c_str(),
- UNSAFE_BUFFERS(pdfium::make_span(
+ UNSAFE_TODO(pdfium::make_span(
static_cast<const uint8_t*>(buffer),
static_cast<size_t>(stride) * renderer.height())));
}
@@ -1288,7 +1288,7 @@
return false;
OutputMD5Hash(image_file_name.c_str(),
- UNSAFE_BUFFERS(pdfium::make_span(
+ UNSAFE_TODO(pdfium::make_span(
static_cast<const uint8_t*>(pixmap.addr()),
pixmap.computeByteSize())));
}
diff --git a/xfa/fde/cfde_texteditengine.cpp b/xfa/fde/cfde_texteditengine.cpp
index 94daa9c..94f8adf 100644
--- a/xfa/fde/cfde_texteditengine.cpp
+++ b/xfa/fde/cfde_texteditengine.cpp
@@ -157,16 +157,14 @@
// Move the gap, if necessary.
if (idx < gap_position_) {
- // TODO(crbug.com/pdfium/2155): resolve safety issues,
- UNSAFE_BUFFERS(FXSYS_memmove(content_.data() + idx + gap_size_,
- content_.data() + idx,
- (gap_position_ - idx) * char_size));
+ UNSAFE_TODO(FXSYS_memmove(content_.data() + idx + gap_size_,
+ content_.data() + idx,
+ (gap_position_ - idx) * char_size));
gap_position_ = idx;
} else if (idx > gap_position_) {
- // TODO(crbug.com/pdfium/2155): resolve safety issues,
- UNSAFE_BUFFERS(FXSYS_memmove(content_.data() + gap_position_,
- content_.data() + gap_position_ + gap_size_,
- (idx - gap_position_) * char_size));
+ UNSAFE_TODO(FXSYS_memmove(content_.data() + gap_position_,
+ content_.data() + gap_position_ + gap_size_,
+ (idx - gap_position_) * char_size));
gap_position_ = idx;
}
@@ -175,10 +173,9 @@
size_t new_gap_size = length + kGapSize;
content_.resize(text_length_ + new_gap_size);
- // TODO(crbug.com/pdfium/2155): resolve safety issues,
- UNSAFE_BUFFERS(FXSYS_memmove(content_.data() + gap_position_ + new_gap_size,
- content_.data() + gap_position_ + gap_size_,
- (text_length_ - gap_position_) * char_size));
+ UNSAFE_TODO(FXSYS_memmove(content_.data() + gap_position_ + new_gap_size,
+ content_.data() + gap_position_ + gap_size_,
+ (text_length_ - gap_position_) * char_size));
gap_size_ = new_gap_size;
}
diff --git a/xfa/fde/cfde_textout.cpp b/xfa/fde/cfde_textout.cpp
index dc5fb55..85b13f4 100644
--- a/xfa/fde/cfde_textout.cpp
+++ b/xfa/fde/cfde_textout.cpp
@@ -93,8 +93,7 @@
#else
font = pFxFont;
#endif
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
- device->DrawNormalText(UNSAFE_BUFFERS(pdfium::make_span(pCurCP, count)),
+ device->DrawNormalText(UNSAFE_TODO(pdfium::make_span(pCurCP, count)),
font, -fFontSize, matrix, color, kOptions);
}
pCurFont = pSTFont;
@@ -114,10 +113,8 @@
#else
font = pFxFont;
#endif
- // TODO(crbug.com/pdfium/2155): investigate safety issues.
- return device->DrawNormalText(
- UNSAFE_BUFFERS(pdfium::make_span(pCurCP, count)), font, -fFontSize,
- matrix, color, kOptions);
+ return device->DrawNormalText(UNSAFE_TODO(pdfium::make_span(pCurCP, count)),
+ font, -fFontSize, matrix, color, kOptions);
}
return true;
}
diff --git a/xfa/fxfa/parser/cxfa_localemgr.cpp b/xfa/fxfa/parser/cxfa_localemgr.cpp
index ef4b8f4..212a900 100644
--- a/xfa/fxfa/parser/cxfa_localemgr.cpp
+++ b/xfa/fxfa/parser/cxfa_localemgr.cpp
@@ -1077,9 +1077,8 @@
if (!output)
return nullptr;
- // TODO(crbug.com/pdfuim/2155): investigate safety issues.
return CXFA_XMLLocale::Create(
- heap, UNSAFE_BUFFERS(pdfium::make_span(output.get(), dwSize)));
+ heap, UNSAFE_TODO(pdfium::make_span(output.get(), dwSize)));
}
CXFA_LocaleMgr::LangID GetLanguageID(WideString wsLanguage) {
