fofi/FoFiIdentifier.cc | 8 +++++--- goo/GooCheckedOps.h | 26 +++++++++++++++----------- 2 files changed, 20 insertions(+), 14 deletions(-)
New commits: commit ea12ae67be12883e4626b34db8f2f849fb6d56d7 Author: LE GARREC Vincent <[email protected]> Date: Sun Mar 31 20:49:25 2019 +0000 ofz-8443: Integer-overflow in identifyCFF https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8443 diff --git a/fofi/FoFiIdentifier.cc b/fofi/FoFiIdentifier.cc index 6e4ba70f..36863226 100644 --- a/fofi/FoFiIdentifier.cc +++ b/fofi/FoFiIdentifier.cc @@ -16,6 +16,7 @@ // Copyright (C) 2013 Christoph Duelli <[email protected]> // Copyright (C) 2018 Albert Astals Cid <[email protected]> // Copyright (C) 2019 Christian Persch <[email protected]> +// Copyright (C) 2019 LE GARREC Vincent <[email protected]> // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -26,6 +27,7 @@ #include <string.h> #include <limits.h> #include "goo/gfile.h" +#include "goo/GooCheckedOps.h" #include "FoFiIdentifier.h" //------------------------------------------------------------------------ @@ -614,9 +616,9 @@ static FoFiIdentifierType identifyCFF(Reader *reader, int start) { offset0 > offset1) { return fofiIdUnknown; } - pos = pos + 3 + (n + 1) * offSize1 + (int)offset0 - 1; - endPos = pos + 3 + (n + 1) * offSize1 + (int)offset1 - 1; - if (pos < 0 || endPos < 0 || pos > endPos) { + if (checkedAdd(pos + 3 + (n + 1) * offSize1, (int)offset0 - 1, &pos) || + checkedAdd(pos + 3 + (n + 1) * offSize1, (int)offset1 - 1, &endPos) || + pos < 0 || endPos < 0 || pos > endPos) { return fofiIdUnknown; } diff --git a/goo/GooCheckedOps.h b/goo/GooCheckedOps.h index 5eedf34b..c49a621f 100644 --- a/goo/GooCheckedOps.h +++ b/goo/GooCheckedOps.h @@ -12,17 +12,21 @@ #ifndef GOO_CHECKED_OPS_H #define GOO_CHECKED_OPS_H -#include <climits> #include <limits> +#include <type_traits> -inline bool checkedAssign(long long lz, int *z) { - static_assert(LLONG_MAX > INT_MAX, "Need type larger than int to perform overflow checks."); +template<typename T> inline bool checkedAssign(long long lz, T *z) { + static_assert(std::numeric_limits<long long>::max() > std::numeric_limits<T>::max(), + "The max of long long type must be larger to perform overflow checks."); + static_assert(std::numeric_limits<long long>::min() < std::numeric_limits<T>::min(), + "The min of long long type must be smaller to perform overflow checks."); - if (lz > INT_MAX || lz < INT_MIN) { + if (lz > std::numeric_limits<T>::max() || + lz < std::numeric_limits<T>::min()) { return true; } - *z = static_cast<int>(lz); + *z = static_cast<T>(lz); return false; } @@ -30,18 +34,18 @@ inline bool checkedAssign(long long lz, int *z) { #define __has_builtin(x) 0 #endif -inline bool checkedAdd(int x, int y, int *z) { -#if __GNUC__ >= 5 || __has_builtin(__builtin_sadd_overflow) - return __builtin_sadd_overflow(x, y, z); +template<typename T> inline bool checkedAdd(T x, T y, T *z) { +#if __GNUC__ >= 5 || __has_builtin(__builtin_add_overflow) + return __builtin_add_overflow(x, y, z); #else const auto lz = static_cast<long long>(x) + static_cast<long long>(y); return checkedAssign(lz, z); #endif } -inline bool checkedMultiply(int x, int y, int *z) { -#if __GNUC__ >= 5 || __has_builtin(__builtin_smul_overflow) - return __builtin_smul_overflow(x, y, z); +template<typename T> inline bool checkedMultiply(T x, T y, T *z) { +#if __GNUC__ >= 5 || __has_builtin(__builtin_mul_overflow) + return __builtin_mul_overflow(x, y, z); #else const auto lz = static_cast<long long>(x) * static_cast<long long>(y); return checkedAssign(lz, z); _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
