Resolve unsafe buffer issues in remaining core/ header files
-- Convert to std::array<> in place of C-style array.
-- Use std::array<>::operator==() in place of memcmp().
-- Mark methods as UNSAFE_BUFFER_USAGE.
-- Justify safety of other methods.
Bug: pdfium:2155
Change-Id: I7d5dcf923655759a3dff0258148f3eb727bcfed0
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/119130
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Thomas Sepez <tsepez@google.com>
diff --git a/core/fpdfapi/font/cpdf_fontencoding.cpp b/core/fpdfapi/font/cpdf_fontencoding.cpp
index 84a4615..d615e38 100644
--- a/core/fpdfapi/font/cpdf_fontencoding.cpp
+++ b/core/fpdfapi/font/cpdf_fontencoding.cpp
@@ -1682,7 +1682,7 @@
}
bool CPDF_FontEncoding::IsIdentical(const CPDF_FontEncoding* pAnother) const {
- return memcmp(m_Unicodes, pAnother->m_Unicodes, sizeof(m_Unicodes)) == 0;
+ return m_Unicodes == pAnother->m_Unicodes;
}
RetainPtr<CPDF_Object> CPDF_FontEncoding::Realize(
diff --git a/core/fpdfapi/font/cpdf_fontencoding.h b/core/fpdfapi/font/cpdf_fontencoding.h
index 901e2e9..c136ba3 100644
--- a/core/fpdfapi/font/cpdf_fontencoding.h
+++ b/core/fpdfapi/font/cpdf_fontencoding.h
@@ -4,14 +4,11 @@
// Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
-#if defined(UNSAFE_BUFFERS_BUILD)
-// TODO(crbug.com/pdfium/2153): resolve buffer safety issues.
-#pragma allow_unsafe_buffers
-#endif
-
#ifndef CORE_FPDFAPI_FONT_CPDF_FONTENCODING_H_
#define CORE_FPDFAPI_FONT_CPDF_FONTENCODING_H_
+#include <array>
+
#include "core/fxcrt/bytestring.h"
#include "core/fxcrt/retain_ptr.h"
#include "core/fxcrt/span.h"
@@ -63,7 +60,7 @@
RetainPtr<CPDF_Object> Realize(WeakPtr<ByteStringPool> pPool) const;
private:
- wchar_t m_Unicodes[kEncodingTableSize] = {};
+ std::array<wchar_t, kEncodingTableSize> m_Unicodes = {};
};
#endif // CORE_FPDFAPI_FONT_CPDF_FONTENCODING_H_
diff --git a/core/fxcodec/jbig2/JBig2_Image.h b/core/fxcodec/jbig2/JBig2_Image.h
index 8d5459b..bf08a94 100644
--- a/core/fxcodec/jbig2/JBig2_Image.h
+++ b/core/fxcodec/jbig2/JBig2_Image.h
@@ -4,11 +4,6 @@
// Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
-#if defined(UNSAFE_BUFFERS_BUILD)
-// TODO(crbug.com/pdfium/2153): resolve buffer safety issues.
-#pragma allow_unsafe_buffers
-#endif
-
#ifndef CORE_FXCODEC_JBIG2_JBIG2_IMAGE_H_
#define CORE_FXCODEC_JBIG2_JBIG2_IMAGE_H_
@@ -17,6 +12,7 @@
#include <memory>
#include "core/fxcodec/jbig2/JBig2_Define.h"
+#include "core/fxcrt/compiler_specific.h"
#include "core/fxcrt/fx_memory_wrappers.h"
#include "core/fxcrt/maybe_owned.h"
#include "core/fxcrt/span.h"
@@ -52,9 +48,15 @@
int GetPixel(int32_t x, int32_t y) const;
void SetPixel(int32_t x, int32_t y, int v);
- uint8_t* GetLineUnsafe(int32_t y) const { return data() + y * m_nStride; }
+ // SAFETY: propogated to caller via UNSAFE_BUFFER_USAGE.
+ UNSAFE_BUFFER_USAGE uint8_t* GetLineUnsafe(int32_t y) const {
+ return UNSAFE_BUFFERS(data() + y * m_nStride);
+ }
+
uint8_t* GetLine(int32_t y) const {
- return (y >= 0 && y < m_nHeight) ? GetLineUnsafe(y) : nullptr;
+ // SAFETY: m_nHeight valid lines in image.
+ return (y >= 0 && y < m_nHeight) ? UNSAFE_BUFFERS(GetLineUnsafe(y))
+ : nullptr;
}
void CopyLine(int32_t hTo, int32_t hFrom);
diff --git a/core/fxcodec/progressive_decoder.h b/core/fxcodec/progressive_decoder.h
index 00ce962..f648595 100644
--- a/core/fxcodec/progressive_decoder.h
+++ b/core/fxcodec/progressive_decoder.h
@@ -4,11 +4,6 @@
// Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
-#if defined(UNSAFE_BUFFERS_BUILD)
-// TODO(crbug.com/pdfium/2153): resolve buffer safety issues.
-#pragma allow_unsafe_buffers
-#endif
-
#ifndef CORE_FXCODEC_PROGRESSIVE_DECODER_H_
#define CORE_FXCODEC_PROGRESSIVE_DECODER_H_
@@ -138,8 +133,9 @@
void CalculateWeights(int dest_len, int src_len);
PixelWeight* GetPixelWeight(int pixel) {
- return reinterpret_cast<PixelWeight*>(m_pWeightTables.data() +
- pixel * m_ItemSize);
+ return reinterpret_cast<PixelWeight*>(pdfium::make_span(m_pWeightTables)
+ .subspan(pixel * m_ItemSize)
+ .data());
}
private:
@@ -154,8 +150,9 @@
void CalculateWeights(int dest_len, int src_len);
PixelWeight* GetPixelWeight(int pixel) {
- return reinterpret_cast<PixelWeight*>(m_pWeightTables.data() +
- pixel * m_ItemSize);
+ return reinterpret_cast<PixelWeight*>(pdfium::make_span(m_pWeightTables)
+ .subspan(pixel * m_ItemSize)
+ .data());
}
private:
diff --git a/core/fxge/dib/cstretchengine.h b/core/fxge/dib/cstretchengine.h
index 0a3055b..96c786d 100644
--- a/core/fxge/dib/cstretchengine.h
+++ b/core/fxge/dib/cstretchengine.h
@@ -4,11 +4,6 @@
// Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
-#if defined(UNSAFE_BUFFERS_BUILD)
-// TODO(crbug.com/pdfium/2153): resolve buffer safety issues.
-#pragma allow_unsafe_buffers
-#endif
-
#ifndef CORE_FXGE_DIB_CSTRETCHENGINE_H_
#define CORE_FXGE_DIB_CSTRETCHENGINE_H_
@@ -65,13 +60,15 @@
uint32_t GetWeightForPosition(int position) const {
CHECK_GE(position, m_SrcStart);
CHECK_LE(position, m_SrcEnd);
- return m_Weights[position - m_SrcStart];
+ // SAFETY: enforced by checks above.
+ return UNSAFE_BUFFERS(m_Weights[position - m_SrcStart]);
}
void SetWeightForPosition(int position, uint32_t weight) {
CHECK_GE(position, m_SrcStart);
CHECK_LE(position, m_SrcEnd);
- m_Weights[position - m_SrcStart] = weight;
+ // SAFETY: enforced by checks above.
+ UNSAFE_BUFFERS(m_Weights[position - m_SrcStart] = weight);
}
// NOTE: relies on defined behaviour for unsigned overflow to
@@ -79,7 +76,8 @@
void RemoveLastWeightAndAdjust(uint32_t weight_change) {
CHECK_GT(m_SrcEnd, m_SrcStart);
--m_SrcEnd;
- m_Weights[m_SrcEnd - m_SrcStart] += weight_change;
+ // SAFETY: enforced by checks above.
+ UNSAFE_BUFFERS(m_Weights[m_SrcEnd - m_SrcStart] += weight_change);
}
int m_SrcStart;
