Fix invalid write for util.printf
This CL fixes and invalid WRITE triggered by calling util.printf. We need to
verify that the integer format will be less then 260 characters.
Bug: chromium:740166
Change-Id: I1c9047101780582da5f39088568727e2c8b4c2d2
Reviewed-on: https://pdfium-review.googlesource.com/7630
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
diff --git a/fpdfsdk/javascript/util.cpp b/fpdfsdk/javascript/util.cpp
index 100a5ca..3338a3a 100644
--- a/fpdfsdk/javascript/util.cpp
+++ b/fpdfsdk/javascript/util.cpp
@@ -150,9 +150,28 @@
CFX_WideString strSegment;
switch (ParseDataType(&c_strFormat)) {
- case UTIL_INT:
+ case UTIL_INT: {
+ int dot = c_strFormat.find(L".", 0);
+ if (dot != -1) {
+ size_t len = 0;
+ for (size_t i = dot + 1; i < c_strFormat.length(); ++i) {
+ wchar_t c = c_strFormat[i];
+ if (std::iswdigit(c)) {
+ ++len;
+ continue;
+ }
+ break;
+ }
+
+ // Windows has a max of ~261 characters in the format string of
+ // the form %0.261x. We're just going to bail out if the format
+ // would be over 3 or more characters long.
+ if (len > 2)
+ return false;
+ }
strSegment.Format(c_strFormat.c_str(), params[iIndex].ToInt(pRuntime));
break;
+ }
case UTIL_DOUBLE:
strSegment.Format(c_strFormat.c_str(),
params[iIndex].ToDouble(pRuntime));
diff --git a/testing/resources/javascript/bug_740166.in b/testing/resources/javascript/bug_740166.in
new file mode 100644
index 0000000..62bc912
--- /dev/null
+++ b/testing/resources/javascript/bug_740166.in
@@ -0,0 +1,58 @@
+{{header}}
+{{object 1 0}} <<
+ /Type /Catalog
+ /Pages 2 0 R
+ /AcroForm 4 0 R
+ /OpenAction 10 0 R
+>>
+endobj
+{{object 2 0}} <<
+ /Type /Pages
+ /Count 1
+ /Kids [
+ 3 0 R
+ ]
+>>
+endobj
+% Page number 0.
+{{object 3 0}} <<
+ /Type /Page
+ /Parent 2 0 R
+ /Resources <<
+ /Font <</F1 15 0 R>>
+ >>
+ /Contents [21 0 R]
+ /MediaBox [0 0 612 792]
+>>
+% Forms
+{{object 4 0}} <<
+ /Fields [5 0 R]
+>>
+% Field
+{{object 5 0}} <<
+ /FT /Tx
+ /T (MyField)
+ /Type /Annot
+ /Subtype /Widget
+ /Rect [100 200 150 250]
+>>
+% OpenAction action
+{{object 10 0}} <<
+ /Type /Action
+ /S /JavaScript
+ /JS 11 0 R
+>>
+endobj
+% JS program to exexute
+{{object 11 0}} <<
+>>
+stream
+app.alert("Value " + util.printf("= %0.769x", 1));
+endstream
+endobj
+{{xref}}
+trailer <<
+ /Root 1 0 R
+>>
+{{startxref}}
+%%EOF
diff --git a/testing/resources/javascript/bug_740166_expected.txt b/testing/resources/javascript/bug_740166_expected.txt
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/testing/resources/javascript/bug_740166_expected.txt