Use safe math in FPDF_FileHandlerContext::WriteBlock()
Avoid potential integer overflows.
Change-Id: I3d809b15c3284547ee1d234b4feee10a56897a9a
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/123473
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Tom Sepez <tsepez@google.com>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/fpdfsdk/cpdfsdk_helpers.cpp b/fpdfsdk/cpdfsdk_helpers.cpp
index ec1cb2c..abc6b0b 100644
--- a/fpdfsdk/cpdfsdk_helpers.cpp
+++ b/fpdfsdk/cpdfsdk_helpers.cpp
@@ -23,6 +23,7 @@
#include "core/fxcrt/check.h"
#include "core/fxcrt/compiler_specific.h"
#include "core/fxcrt/fx_memcpy_wrappers.h"
+#include "core/fxcrt/fx_safe_types.h"
#include "core/fxcrt/numerics/safe_conversions.h"
#include "core/fxcrt/span_util.h"
#include "core/fxcrt/stl_util.h"
@@ -178,13 +179,20 @@
return false;
}
- if (m_pFS->WriteBlock(m_pFS->clientData, static_cast<FPDF_DWORD>(GetSize()),
+ const FX_FILESIZE size = GetSize();
+ FX_SAFE_FILESIZE new_position = size;
+ new_position += buffer.size();
+ if (!new_position.IsValid()) {
+ return false;
+ }
+
+ if (m_pFS->WriteBlock(m_pFS->clientData, static_cast<FPDF_DWORD>(size),
buffer.data(),
static_cast<FPDF_DWORD>(buffer.size())) != 0) {
return false;
}
- m_nCurPos = GetSize() + buffer.size();
+ m_nCurPos = new_position.ValueOrDie();
return true;
}
