commit 0c99829cc38ed2191a71d16c34278e391411aa1b
author Dan Sinclair <dsinclair@chromium.org> Thu Jul 13 09:58:52 2017 -0400
committer Chromium commit bot <commit-bot@chromium.org> Thu Jul 13 19:56:36 2017 +0000
tree dd7450e206067ec536c5bf5870775a42db50e845
parent f55e72e0476e5f5699b887099f213982e207afd0

Fix invalid write for util.printf

This CL fixes and invalid WRITE triggered by calling util.printf. We need to
verify that the integer format will be less then 260 characters.

Bug: chromium:740166
Change-Id: I1c9047101780582da5f39088568727e2c8b4c2d2
Reviewed-on: https://pdfium-review.googlesource.com/7630
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>

fpdfsdk/javascript/util.cpp

diff --git a/fpdfsdk/javascript/util.cpp b/fpdfsdk/javascript/util.cpp
index 100a5ca..3338a3a 100644
--- a/fpdfsdk/javascript/util.cpp
+++ b/fpdfsdk/javascript/util.cpp
@@ -150,9 +150,28 @@
 
     CFX_WideString strSegment;
     switch (ParseDataType(&c_strFormat)) {
-      case UTIL_INT:
+      case UTIL_INT: {
+        int dot = c_strFormat.find(L".", 0);
+        if (dot != -1) {
+          size_t len = 0;
+          for (size_t i = dot + 1; i < c_strFormat.length(); ++i) {
+            wchar_t c = c_strFormat[i];
+            if (std::iswdigit(c)) {
+              ++len;
+              continue;
+            }
+            break;
+          }
+
+          // Windows has a max of ~261 characters in the format string of
+          // the form %0.261x. We're just going to bail out if the format
+          // would be over 3 or more characters long.
+          if (len > 2)
+            return false;
+        }
         strSegment.Format(c_strFormat.c_str(), params[iIndex].ToInt(pRuntime));
         break;
+      }
       case UTIL_DOUBLE:
         strSegment.Format(c_strFormat.c_str(),
                           params[iIndex].ToDouble(pRuntime));