Use safe math in FPDF_FileHandlerContext::ReadBlockAtOffset()
Avoid potential integer overflows.
Change-Id: I3055a50ddfc2f8604e28ae32160550e44b464fb2
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/123475
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Tom Sepez <tsepez@google.com>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/fpdfsdk/cpdfsdk_helpers.cpp b/fpdfsdk/cpdfsdk_helpers.cpp
index 8202ed8..6f8d0b7 100644
--- a/fpdfsdk/cpdfsdk_helpers.cpp
+++ b/fpdfsdk/cpdfsdk_helpers.cpp
@@ -141,16 +141,24 @@
bool FPDF_FileHandlerContext::ReadBlockAtOffset(pdfium::span<uint8_t> buffer,
FX_FILESIZE offset) {
- if (buffer.empty() || !m_pFS->ReadBlock)
+ if (buffer.empty() || !m_pFS->ReadBlock) {
return false;
+ }
+
+ FX_SAFE_FILESIZE new_position = offset;
+ new_position += buffer.size();
+ if (!new_position.IsValid()) {
+ return false;
+ }
if (m_pFS->ReadBlock(m_pFS->clientData, static_cast<FPDF_DWORD>(offset),
buffer.data(),
- static_cast<FPDF_DWORD>(buffer.size())) == 0) {
- m_nCurPos = offset + buffer.size();
- return true;
+ static_cast<FPDF_DWORD>(buffer.size())) != 0) {
+ return false;
}
- return false;
+
+ m_nCurPos = new_position.ValueOrDie();
+ return true;
}
bool FPDF_FileHandlerContext::WriteBlock(pdfium::span<const uint8_t> buffer) {
