Apply UNSAFE_BUFFERS() to two-arg span ctor in fpdfsdk/
There isn't any reason to trust a programmer-provided length vs.
those deduced by the compiler.
-- Re-write some cases to use subspan where possible.
-- Flag the rest as UNSAFE_BUFFERS().
Change-Id: I8d2fded1c473c5320fca034e0d66b110071076a7
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/118250
Reviewed-by: Thomas Sepez <tsepez@google.com>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
diff --git a/fpdfsdk/fpdf_attachment.cpp b/fpdfsdk/fpdf_attachment.cpp
index 8fc5e54..4293c57 100644
--- a/fpdfsdk/fpdf_attachment.cpp
+++ b/fpdfsdk/fpdf_attachment.cpp
@@ -40,13 +40,19 @@
return ByteString(result.get(), size);
}
+// TODO(tsepez): should be UNSAFE_BUFFER_USAGE.
ByteString GenerateMD5Base16(const void* contents, const unsigned long len) {
uint8_t digest[16];
- CRYPT_MD5Generate({static_cast<const uint8_t*>(contents), len}, digest);
- char buf[32];
- for (int i = 0; i < 16; ++i)
- FXSYS_IntToTwoHexChars(digest[i], &buf[i * 2]);
+ // SAFETY: caller ensures `contents` points to at least `len` bytes.
+ CRYPT_MD5Generate(UNSAFE_BUFFERS(pdfium::make_span(
+ static_cast<const uint8_t*>(contents), len)),
+ digest);
+
+ char buf[32];
+ for (int i = 0; i < 16; ++i) {
+ FXSYS_IntToTwoHexChars(digest[i], &buf[i * 2]);
+ }
return ByteString(buf, 32);
}
@@ -274,8 +280,10 @@
if (!pFileStream)
return false;
+ // SAFETY: required from caller.
*out_buflen = DecodeStreamMaybeCopyAndReturnLength(
std::move(pFileStream),
- {static_cast<uint8_t*>(buffer), static_cast<size_t>(buflen)});
+ UNSAFE_BUFFERS(pdfium::make_span(static_cast<uint8_t*>(buffer),
+ static_cast<size_t>(buflen))));
return true;
}
