Mark unsafe regions in core/fpdfapi files.

One file remains in this directory which is suppressed at file level,
since it is not straightforward to fix.

Bug: pdfium: 42271175
Change-Id: I33c833aab44f7210482c4bcd6b4fc640e47aaaba
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/119572
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Thomas Sepez <tsepez@google.com>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
diff --git a/core/fpdfapi/render/cpdf_docrenderdata.cpp b/core/fpdfapi/render/cpdf_docrenderdata.cpp
index fd0a7cc..fa60b75 100644
--- a/core/fpdfapi/render/cpdf_docrenderdata.cpp
+++ b/core/fpdfapi/render/cpdf_docrenderdata.cpp
@@ -4,11 +4,6 @@
 
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
-#if defined(UNSAFE_BUFFERS_BUILD)
-// TODO(crbug.com/pdfium/2154): resolve buffer safety issues.
-#pragma allow_unsafe_buffers
-#endif
-
 #include "core/fpdfapi/render/cpdf_docrenderdata.h"
 
 #include <stdint.h>
@@ -25,6 +20,7 @@
 #include "core/fpdfapi/parser/cpdf_array.h"
 #include "core/fpdfapi/parser/cpdf_document.h"
 #include "core/fpdfapi/render/cpdf_type3cache.h"
+#include "core/fxcrt/compiler_specific.h"
 #include "core/fxcrt/fixed_size_data_vector.h"
 
 #if BUILDFLAG(IS_WIN)
@@ -89,9 +85,11 @@
       return nullptr;
 
     for (uint32_t i = 0; i < 3; ++i) {
-      pFuncs[2 - i] = CPDF_Function::Load(pArray->GetDirectObjectAt(i));
-      if (!pFuncs[2 - i])
+      UNSAFE_TODO(pFuncs[2 - i]) =
+          CPDF_Function::Load(pArray->GetDirectObjectAt(i));
+      if (!UNSAFE_TODO(pFuncs[2 - i])) {
         return nullptr;
+      }
     }
   } else {
     pFuncs[0] = CPDF_Function::Load(pObj);
@@ -116,11 +114,11 @@
     for (size_t v = 0; v < CPDF_TransferFunc::kChannelSampleSize; ++v) {
       float input = static_cast<float>(v) / 255.0f;
       for (int i = 0; i < 3; ++i) {
-        if (pFuncs[i]->OutputCount() > kMaxOutputs) {
+        if (UNSAFE_TODO(pFuncs[i])->OutputCount() > kMaxOutputs) {
           samples[i][v] = v;
           continue;
         }
-        pFuncs[i]->Call(pdfium::span_from_ref(input), output);
+        UNSAFE_TODO(pFuncs[i])->Call(pdfium::span_from_ref(input), output);
         size_t o = FXSYS_roundf(output[0] * 255);
         if (o != v)
           bIdentity = false;
diff --git a/core/fpdfapi/render/cpdf_imagerenderer.cpp b/core/fpdfapi/render/cpdf_imagerenderer.cpp
index f7cb1d1..d68fb29 100644
--- a/core/fpdfapi/render/cpdf_imagerenderer.cpp
+++ b/core/fpdfapi/render/cpdf_imagerenderer.cpp
@@ -4,11 +4,6 @@
 
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
-#if defined(UNSAFE_BUFFERS_BUILD)
-// TODO(crbug.com/pdfium/2154): resolve buffer safety issues.
-#pragma allow_unsafe_buffers
-#endif
-
 #include "core/fpdfapi/render/cpdf_imagerenderer.h"
 
 #include <math.h>
@@ -36,6 +31,7 @@
 #include "core/fpdfapi/render/cpdf_rendercontext.h"
 #include "core/fpdfapi/render/cpdf_renderstatus.h"
 #include "core/fxcrt/check.h"
+#include "core/fxcrt/compiler_specific.h"
 #include "core/fxcrt/fx_safe_types.h"
 #include "core/fxcrt/maybe_owned.h"
 #include "core/fxge/cfx_defaultrenderdevice.h"
@@ -263,18 +259,18 @@
         const uint8_t* mask_scan =
             mask_device.GetBitmap()->GetScanline(row).data();
         for (int col = 0; col < rect.Width(); col++) {
-          int alpha = *mask_scan++;
+          int alpha = UNSAFE_TODO(*mask_scan++);
           if (!alpha) {
-            dest_scan += 4;
+            UNSAFE_TODO(dest_scan += 4);
             continue;
           }
           int orig = (*dest_scan - matte_b) * 255 / alpha + matte_b;
-          *dest_scan++ = std::clamp(orig, 0, 255);
+          UNSAFE_TODO(*dest_scan++) = std::clamp(orig, 0, 255);
           orig = (*dest_scan - matte_g) * 255 / alpha + matte_g;
-          *dest_scan++ = std::clamp(orig, 0, 255);
+          UNSAFE_TODO(*dest_scan++) = std::clamp(orig, 0, 255);
           orig = (*dest_scan - matte_r) * 255 / alpha + matte_r;
-          *dest_scan++ = std::clamp(orig, 0, 255);
-          dest_scan++;
+          UNSAFE_TODO(*dest_scan++) = std::clamp(orig, 0, 255);
+          UNSAFE_TODO(dest_scan++);
         }
       }
     }
diff --git a/core/fpdfapi/render/cpdf_renderstatus.cpp b/core/fpdfapi/render/cpdf_renderstatus.cpp
index a22fb8b..9c2dd94 100644
--- a/core/fpdfapi/render/cpdf_renderstatus.cpp
+++ b/core/fpdfapi/render/cpdf_renderstatus.cpp
@@ -4,11 +4,6 @@
 
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
-#if defined(UNSAFE_BUFFERS_BUILD)
-// TODO(crbug.com/pdfium/2154): resolve buffer safety issues.
-#pragma allow_unsafe_buffers
-#endif
-
 #include "core/fpdfapi/render/cpdf_renderstatus.h"
 
 #include <stdint.h>
@@ -58,6 +53,7 @@
 #include "core/fpdfapi/render/cpdf_type3cache.h"
 #include "core/fxcrt/autorestorer.h"
 #include "core/fxcrt/check.h"
+#include "core/fxcrt/compiler_specific.h"
 #include "core/fxcrt/containers/contains.h"
 #include "core/fxcrt/data_vector.h"
 #include "core/fxcrt/fx_2d_size.h"
@@ -1236,7 +1232,7 @@
       uint32_t fill_argb = m_Options.TranslateColor(mask_argb);
       if (alpha != 1.0f) {
         uint8_t* fill_argb8 = reinterpret_cast<uint8_t*>(&fill_argb);
-        fill_argb8[3] *= FXSYS_roundf(alpha * 255) / 255;
+        UNSAFE_TODO(fill_argb8[3]) *= FXSYS_roundf(alpha * 255) / 255;
       }
       if (m_pDevice->SetBitMask(bitmap, left, top, fill_argb)) {
         return;
@@ -1409,8 +1405,10 @@
       uint8_t* dest_pos = dest_buf.subspan(dest_offset).data();
       const uint8_t* src_pos = src_buf.subspan(src_offset).data();
       for (int col = 0; col < width; col++) {
-        *dest_pos++ = transfers[FXRGB2GRAY(src_pos[2], src_pos[1], *src_pos)];
-        src_pos += Bpp;
+        UNSAFE_TODO({
+          *dest_pos++ = transfers[FXRGB2GRAY(src_pos[2], src_pos[1], *src_pos)];
+          src_pos += Bpp;
+        });
       }
     }
   } else if (pFunc) {
diff --git a/core/fpdfapi/render/cpdf_type3cache.cpp b/core/fpdfapi/render/cpdf_type3cache.cpp
index 0a793d0..b75aaea 100644
--- a/core/fpdfapi/render/cpdf_type3cache.cpp
+++ b/core/fpdfapi/render/cpdf_type3cache.cpp
@@ -4,11 +4,6 @@
 
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
-#if defined(UNSAFE_BUFFERS_BUILD)
-// TODO(crbug.com/pdfium/2154): resolve buffer safety issues.
-#pragma allow_unsafe_buffers
-#endif
-
 #include "core/fpdfapi/render/cpdf_type3cache.h"
 
 #include <math.h>
@@ -19,6 +14,7 @@
 #include "core/fpdfapi/font/cpdf_type3char.h"
 #include "core/fpdfapi/font/cpdf_type3font.h"
 #include "core/fpdfapi/render/cpdf_type3glyphmap.h"
+#include "core/fxcrt/compiler_specific.h"
 #include "core/fxcrt/fx_coordinates.h"
 #include "core/fxcrt/fx_safe_types.h"
 #include "core/fxge/cfx_glyphbitmap.h"
@@ -30,16 +26,19 @@
 bool IsScanLine1bpp(const uint8_t* pBuf, int width) {
   int size = width / 8;
   for (int i = 0; i < size; i++) {
-    if (pBuf[i])
+    if (UNSAFE_TODO(pBuf[i])) {
       return true;
+    }
   }
-  return (width % 8) && (pBuf[width / 8] & (0xff << (8 - width % 8)));
+  return (width % 8) &&
+         (UNSAFE_TODO(pBuf[width / 8]) & (0xff << (8 - width % 8)));
 }
 
 bool IsScanLine8bpp(const uint8_t* pBuf, int width) {
   for (int i = 0; i < width; i++) {
-    if (pBuf[i] > 0x40)
+    if (UNSAFE_TODO(pBuf[i]) > 0x40) {
       return true;
+    }
   }
   return false;
 }