Google Git
Sign in
pdfium / pdfium / bb2b1e72929fb78f9d5b64b3732ed9b5cc93af4e^! / .
commitbb2b1e72929fb78f9d5b64b3732ed9b5cc93af4e[log] [tgz]
authorJohn Abd-El-Malek <jam@chromium.org>Wed Jun 04 14:42:19 2014 -0700
committerJohn Abd-El-Malek <jam@chromium.org>Wed Jun 04 14:42:19 2014 -0700
tree90917f85699dbd714cbbad19ad6b23f849b1bfe5
parent62a7fd6bda145ca3bba0c87102a77e03b5d11037 [diff]
Use unsigned type for iteration to avoid int overflow.

If src_len in PDF_DecodeText is larger than 2^31,
2 * max_chars will overflow and the function will produce
an incorrect result.

BUG=none
R=bo_xu@foxitsoftware.com

Review URL: https://codereview.chromium.org/306923006

diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp
index 2312636..6838f73 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_decode.cpp

@@ -402,7 +402,7 @@
     CFX_WideString result;
     if (src_len >= 2 && ((src_data[0] == 0xfe && src_data[1] == 0xff) || (src_data[0] == 0xff && src_data[1] == 0xfe))) {
         FX_BOOL bBE = src_data[0] == 0xfe;
-        int max_chars = (src_len - 2) / 2;
+        FX_DWORD max_chars = (src_len - 2) / 2;
         if (!max_chars) {
             return result;
         }
@@ -412,7 +412,7 @@
         FX_LPWSTR dest_buf = result.GetBuffer(max_chars);
         FX_LPCBYTE uni_str = src_data + 2;
         int dest_pos = 0;
-        for (int i = 0; i < max_chars * 2; i += 2) {
+        for (FX_DWORD i = 0; i < max_chars * 2; i += 2) {
             FX_WORD unicode = bBE ? (uni_str[i] << 8 | uni_str[i + 1]) : (uni_str[i + 1] << 8 | uni_str[i]);
             if (unicode == 0x1b) {
                 i += 2;