Check for possibility of inf value from FXSYS_wcstof()
Bug: chromium:951712
Change-Id: I9a4572aa9879e2c4ba374e78d37d9a959752318f
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/53310
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
diff --git a/core/fxcrt/css/cfx_cssdeclaration.cpp b/core/fxcrt/css/cfx_cssdeclaration.cpp
index 9f24019..707bd59 100644
--- a/core/fxcrt/css/cfx_cssdeclaration.cpp
+++ b/core/fxcrt/css/cfx_cssdeclaration.cpp
@@ -6,6 +6,7 @@
#include "core/fxcrt/css/cfx_cssdeclaration.h"
+#include <cmath>
#include <utility>
#include "core/fxcrt/css/cfx_csscolorvalue.h"
@@ -35,7 +36,7 @@
int32_t iUsedLen = 0;
fValue = FXSYS_wcstof(pszValue, iValueLen, &iUsedLen);
- if (iUsedLen <= 0)
+ if (iUsedLen <= 0 || !std::isfinite(fValue))
return false;
iValueLen -= iUsedLen;
diff --git a/core/fxcrt/fx_extension_unittest.cpp b/core/fxcrt/fx_extension_unittest.cpp
index 11684c9..81fc4f7 100644
--- a/core/fxcrt/fx_extension_unittest.cpp
+++ b/core/fxcrt/fx_extension_unittest.cpp
@@ -129,6 +129,21 @@
// For https://crbug.com/pdfium/1217
EXPECT_FLOAT_EQ(0.0f, FXSYS_wcstof(L"e76", 3, nullptr));
+
+ // Overflow to infinity.
+ used_len = 0;
+ EXPECT_TRUE(std::isinf(FXSYS_wcstof(
+ L"88888888888888888888888888888888888888888888888888888888888888888888888"
+ L"88888888888888888888888888888888888888888888888888888888888",
+ 130, &used_len)));
+ EXPECT_EQ(130, used_len);
+
+ used_len = 0;
+ EXPECT_TRUE(std::isinf(FXSYS_wcstof(
+ L"-8888888888888888888888888888888888888888888888888888888888888888888888"
+ L"888888888888888888888888888888888888888888888888888888888888",
+ 131, &used_len)));
+ EXPECT_EQ(131, used_len);
}
TEST(fxcrt, FXSYS_SafeOps) {
diff --git a/core/fxcrt/fx_system.cpp b/core/fxcrt/fx_system.cpp
index 0731a08..673b286 100644
--- a/core/fxcrt/fx_system.cpp
+++ b/core/fxcrt/fx_system.cpp
@@ -6,6 +6,7 @@
#include "core/fxcrt/fx_system.h"
+#include <cmath>
#include <limits>
#include "core/fxcrt/fx_extension.h"
@@ -83,6 +84,8 @@
} // namespace
int FXSYS_round(float d) {
+ if (std::isnan(d))
+ return 0;
if (d < static_cast<float>(std::numeric_limits<int>::min()))
return std::numeric_limits<int>::min();
if (d > static_cast<float>(std::numeric_limits<int>::max()))
diff --git a/xfa/fxfa/parser/cxfa_measurement.cpp b/xfa/fxfa/parser/cxfa_measurement.cpp
index 9ac8a88..d4e326f 100644
--- a/xfa/fxfa/parser/cxfa_measurement.cpp
+++ b/xfa/fxfa/parser/cxfa_measurement.cpp
@@ -6,6 +6,8 @@
#include "xfa/fxfa/parser/cxfa_measurement.h"
+#include <cmath>
+
#include "core/fxcrt/fx_extension.h"
namespace {
@@ -32,8 +34,7 @@
void CXFA_Measurement::SetString(WideStringView wsMeasure) {
if (wsMeasure.IsEmpty()) {
- m_fValue = 0;
- m_eUnit = XFA_Unit::Unknown;
+ Set(0, XFA_Unit::Unknown);
return;
}
@@ -43,6 +44,9 @@
int32_t iUsedLen = 0;
float fValue = FXSYS_wcstof(wsMeasure.unterminated_c_str(),
wsMeasure.GetLength(), &iUsedLen);
+ if (!std::isfinite(fValue))
+ fValue = 0.0f;
+
wsMeasure = wsMeasure.Right(wsMeasure.GetLength() - iUsedLen);
Set(fValue, GetUnitFromString(wsMeasure));
}
diff --git a/xfa/fxgraphics/cxfa_graphics.cpp b/xfa/fxgraphics/cxfa_graphics.cpp
index d2c7189..bd8bf28 100644
--- a/xfa/fxgraphics/cxfa_graphics.cpp
+++ b/xfa/fxgraphics/cxfa_graphics.cpp
@@ -303,7 +303,7 @@
float x = static_cast<float>(column);
scale = (((x - start_x) * x_span) + ((y - start_y) * y_span)) /
axis_len_square;
- if (scale < 0.0f) {
+ if (std::isnan(scale) || scale < 0.0f) {
if (!m_info.fillColor.GetShading()->m_isExtendedBegin)
continue;
scale = 0.0f;
