diff options
author | Tom Sepez <tsepez@chromium.org> | 2024-05-09 20:47:23 +0000 |
---|---|---|
committer | Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2024-05-09 20:47:23 +0000 |
commit | 946c0d382c532bc3d4067342037bfb98bda83584 (patch) | |
tree | 3b04226d21838ef76e5d4b65f0a0a27eb477cd8a | |
parent | 9e67709fb358aa9bf1c5906007e92b918d819944 (diff) | |
download | pdfium-946c0d382c532bc3d4067342037bfb98bda83584.tar.gz |
Remove file-wide unsafe_buffers pragmas from fpdfsdk/fpdf*.cpp
Bug: pdfium:2154
Change-Id: I1fa8eff1f51eda4fb1a10ca0e04095619608c023
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/118970
Reviewed-by: Thomas Sepez <tsepez@google.com>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
-rw-r--r-- | fpdfsdk/fpdf_annot.cpp | 89 | ||||
-rw-r--r-- | fpdfsdk/fpdf_attachment.cpp | 25 | ||||
-rw-r--r-- | fpdfsdk/fpdf_doc.cpp | 40 | ||||
-rw-r--r-- | fpdfsdk/fpdf_editimg.cpp | 22 | ||||
-rw-r--r-- | fpdfsdk/fpdf_editpage.cpp | 29 | ||||
-rw-r--r-- | fpdfsdk/fpdf_edittext.cpp | 21 | ||||
-rw-r--r-- | fpdfsdk/fpdf_ppo.cpp | 18 | ||||
-rw-r--r-- | fpdfsdk/fpdf_signature.cpp | 25 | ||||
-rw-r--r-- | fpdfsdk/fpdf_view.cpp | 44 |
9 files changed, 165 insertions, 148 deletions
diff --git a/fpdfsdk/fpdf_annot.cpp b/fpdfsdk/fpdf_annot.cpp index 34346b3b4..c5ff6dff0 100644 --- a/fpdfsdk/fpdf_annot.cpp +++ b/fpdfsdk/fpdf_annot.cpp @@ -2,11 +2,6 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#if defined(UNSAFE_BUFFERS_BUILD) -// TODO(crbug.com/pdfium/2153): resolve buffer safety issues. -#pragma allow_unsafe_buffers -#endif - #include "public/fpdf_annot.h" #include <memory> @@ -524,8 +519,9 @@ FPDF_EXPORT int FPDF_CALLCONV FPDFAnnot_AddInkStroke(FPDF_ANNOTATION annot, auto ink_coord_list = inklist->AppendNew<CPDF_Array>(); for (size_t i = 0; i < point_count; i++) { - ink_coord_list->AppendNew<CPDF_Number>(points[i].x); - ink_coord_list->AppendNew<CPDF_Number>(points[i].y); + // TODO(crbug.com/pdfium/2155): investigate safety issues. + ink_coord_list->AppendNew<CPDF_Number>(UNSAFE_BUFFERS(points[i].x)); + ink_coord_list->AppendNew<CPDF_Number>(UNSAFE_BUFFERS(points[i].y)); } return static_cast<int>(inklist->size() - 1); } @@ -882,8 +878,9 @@ FPDFAnnot_GetVertices(FPDF_ANNOTATION annot, fxcrt::CollectionSize<unsigned long>(*vertices) / 2; if (buffer && length >= points_len) { for (unsigned long i = 0; i < points_len; ++i) { - buffer[i].x = vertices->GetFloatAt(i * 2); - buffer[i].y = vertices->GetFloatAt(i * 2 + 1); + // TODO(crbug.com/pdfium/2155): investigate safety issues. + UNSAFE_BUFFERS(buffer[i].x) = vertices->GetFloatAt(i * 2); + UNSAFE_BUFFERS(buffer[i].y) = vertices->GetFloatAt(i * 2 + 1); } } return points_len; @@ -913,8 +910,9 @@ FPDFAnnot_GetInkListPath(FPDF_ANNOTATION annot, fxcrt::CollectionSize<unsigned long>(*path) / 2; if (buffer && length >= points_len) { for (unsigned long i = 0; i < points_len; ++i) { - buffer[i].x = path->GetFloatAt(i * 2); - buffer[i].y = path->GetFloatAt(i * 2 + 1); + // TODO(crbug.com/pdfium/2155): investigate safety issues. + UNSAFE_BUFFERS(buffer[i].x) = path->GetFloatAt(i * 2); + UNSAFE_BUFFERS(buffer[i].y) = path->GetFloatAt(i * 2 + 1); } } return points_len; @@ -1025,11 +1023,12 @@ FPDFAnnot_GetStringValue(FPDF_ANNOTATION annot, FPDF_WCHAR* buffer, unsigned long buflen) { const CPDF_Dictionary* pAnnotDict = GetAnnotDictFromFPDFAnnotation(annot); - if (!pAnnotDict) + if (!pAnnotDict) { return 0; - - return Utf16EncodeMaybeCopyAndReturnLength(pAnnotDict->GetUnicodeTextFor(key), - buffer, buflen); + } + // SAFETY: required from caller. + return UNSAFE_BUFFERS(Utf16EncodeMaybeCopyAndReturnLength( + pAnnotDict->GetUnicodeTextFor(key), buffer, buflen)); } FPDF_EXPORT FPDF_BOOL FPDF_CALLCONV @@ -1067,7 +1066,9 @@ FPDFAnnot_SetAP(FPDF_ANNOTATION annot, static_assert(std::size(kModeKeyForMode) == FPDF_ANNOT_APPEARANCEMODE_COUNT, "length of kModeKeyForMode should be equal to " "FPDF_ANNOT_APPEARANCEMODE_COUNT"); - const char* mode_key = kModeKeyForMode[appearanceMode]; + + // TODO(crbug.com/pdfium/2155): investigate safety issues. + const char* mode_key = UNSAFE_BUFFERS(kModeKeyForMode[appearanceMode]); RetainPtr<CPDF_Dictionary> pApDict = pAnnotDict->GetMutableDictFor(pdfium::annotation::kAP); @@ -1145,8 +1146,9 @@ FPDFAnnot_GetAP(FPDF_ANNOTATION annot, static_cast<CPDF_Annot::AppearanceMode>(appearanceMode); RetainPtr<CPDF_Stream> pStream = GetAnnotAPNoFallback(pAnnotDict.Get(), mode); - return Utf16EncodeMaybeCopyAndReturnLength( - pStream ? pStream->GetUnicodeText() : WideString(), buffer, buflen); + // SAFETY: required from caller. + return UNSAFE_BUFFERS(Utf16EncodeMaybeCopyAndReturnLength( + pStream ? pStream->GetUnicodeText() : WideString(), buffer, buflen)); } FPDF_EXPORT FPDF_ANNOTATION FPDF_CALLCONV @@ -1220,10 +1222,12 @@ FPDFAnnot_GetFormFieldName(FPDF_FORMHANDLE hHandle, FPDF_WCHAR* buffer, unsigned long buflen) { const CPDF_FormField* pFormField = GetFormField(hHandle, annot); - if (!pFormField) + if (!pFormField) { return 0; - return Utf16EncodeMaybeCopyAndReturnLength(pFormField->GetFullName(), buffer, - buflen); + } + // SAFETY: required from caller. + return UNSAFE_BUFFERS(Utf16EncodeMaybeCopyAndReturnLength( + pFormField->GetFullName(), buffer, buflen)); } FPDF_EXPORT int FPDF_CALLCONV @@ -1250,8 +1254,9 @@ FPDFAnnot_GetFormAdditionalActionJavaScript(FPDF_FORMHANDLE hHandle, auto type = static_cast<CPDF_AAction::AActionType>(event); CPDF_AAction additional_action = pFormField->GetAdditionalAction(); CPDF_Action action = additional_action.GetAction(type); - return Utf16EncodeMaybeCopyAndReturnLength(action.GetJavaScript(), buffer, - buflen); + // SAFETY: required from caller. + return UNSAFE_BUFFERS(Utf16EncodeMaybeCopyAndReturnLength( + action.GetJavaScript(), buffer, buflen)); } FPDF_EXPORT unsigned long FPDF_CALLCONV @@ -1260,11 +1265,12 @@ FPDFAnnot_GetFormFieldAlternateName(FPDF_FORMHANDLE hHandle, FPDF_WCHAR* buffer, unsigned long buflen) { const CPDF_FormField* pFormField = GetFormField(hHandle, annot); - if (!pFormField) + if (!pFormField) { return 0; - - return Utf16EncodeMaybeCopyAndReturnLength(pFormField->GetAlternateName(), - buffer, buflen); + } + // SAFETY: required from caller. + return UNSAFE_BUFFERS(Utf16EncodeMaybeCopyAndReturnLength( + pFormField->GetAlternateName(), buffer, buflen)); } FPDF_EXPORT unsigned long FPDF_CALLCONV @@ -1273,10 +1279,12 @@ FPDFAnnot_GetFormFieldValue(FPDF_FORMHANDLE hHandle, FPDF_WCHAR* buffer, unsigned long buflen) { const CPDF_FormField* pFormField = GetFormField(hHandle, annot); - if (!pFormField) + if (!pFormField) { return 0; - return Utf16EncodeMaybeCopyAndReturnLength(pFormField->GetValue(), buffer, - buflen); + } + // SAFETY: required from caller. + return UNSAFE_BUFFERS(Utf16EncodeMaybeCopyAndReturnLength( + pFormField->GetValue(), buffer, buflen)); } FPDF_EXPORT int FPDF_CALLCONV FPDFAnnot_GetOptionCount(FPDF_FORMHANDLE hHandle, @@ -1299,7 +1307,9 @@ FPDFAnnot_GetOptionLabel(FPDF_FORMHANDLE hHandle, return 0; WideString ws = pFormField->GetOptionLabel(index); - return Utf16EncodeMaybeCopyAndReturnLength(ws, buffer, buflen); + // SAFETY: required from caller. + return UNSAFE_BUFFERS( + Utf16EncodeMaybeCopyAndReturnLength(ws, buffer, buflen)); } FPDF_EXPORT FPDF_BOOL FPDF_CALLCONV @@ -1374,8 +1384,9 @@ FPDFAnnot_SetFocusableSubtypes(FPDF_FORMHANDLE hHandle, std::vector<CPDF_Annot::Subtype> focusable_annot_types; focusable_annot_types.reserve(count); for (size_t i = 0; i < count; ++i) { + // TODO(crbug.com/pdfium/2155): investigate safety issues. focusable_annot_types.push_back( - static_cast<CPDF_Annot::Subtype>(subtypes[i])); + static_cast<CPDF_Annot::Subtype>(UNSAFE_BUFFERS(subtypes[i]))); } pFormFillEnv->SetFocusableAnnotSubtypes(focusable_annot_types); @@ -1413,8 +1424,9 @@ FPDFAnnot_GetFocusableSubtypes(FPDF_FORMHANDLE hHandle, return false; for (size_t i = 0; i < focusable_annot_types.size(); ++i) { - subtypes[i] = - static_cast<FPDF_ANNOTATION_SUBTYPE>(focusable_annot_types[i]); + // TODO(crbug.com/pdfium/2155): investigate safety issues. + UNSAFE_BUFFERS(subtypes[i] = static_cast<FPDF_ANNOTATION_SUBTYPE>( + focusable_annot_types[i])); } return true; @@ -1458,11 +1470,12 @@ FPDFAnnot_GetFormFieldExportValue(FPDF_FORMHANDLE hHandle, unsigned long buflen) { const CPDFSDK_Widget* pWidget = GetRadioButtonOrCheckBoxWidget(hHandle, annot); - if (!pWidget) + if (!pWidget) { return 0; - - return Utf16EncodeMaybeCopyAndReturnLength(pWidget->GetExportValue(), buffer, - buflen); + } + // SAFETY: required from caller. + return UNSAFE_BUFFERS(Utf16EncodeMaybeCopyAndReturnLength( + pWidget->GetExportValue(), buffer, buflen)); } FPDF_EXPORT FPDF_BOOL FPDF_CALLCONV FPDFAnnot_SetURI(FPDF_ANNOTATION annot, diff --git a/fpdfsdk/fpdf_attachment.cpp b/fpdfsdk/fpdf_attachment.cpp index 398bd47a1..dfd48a7dd 100644 --- a/fpdfsdk/fpdf_attachment.cpp +++ b/fpdfsdk/fpdf_attachment.cpp @@ -2,11 +2,6 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#if defined(UNSAFE_BUFFERS_BUILD) -// TODO(crbug.com/pdfium/2153): resolve buffer safety issues. -#pragma allow_unsafe_buffers -#endif - #include "public/fpdf_attachment.h" #include <limits.h> @@ -56,7 +51,9 @@ ByteString GenerateMD5Base16(const void* contents, const unsigned long len) { char buf[32]; for (int i = 0; i < 16; ++i) { - FXSYS_IntToTwoHexChars(digest[i], &buf[i * 2]); + // TODO(crbug.com/pdfium/2155): resolve safety issues. + FXSYS_IntToTwoHexChars(UNSAFE_BUFFERS(digest[i]), + UNSAFE_BUFFERS(&buf[i * 2])); } return ByteString(buf, 32); } @@ -141,8 +138,9 @@ FPDFAttachment_GetName(FPDF_ATTACHMENT attachment, return 0; CPDF_FileSpec spec(pdfium::WrapRetain(pFile)); - return Utf16EncodeMaybeCopyAndReturnLength(spec.GetFileName(), buffer, - buflen); + // SAFETY: required from caller. + return UNSAFE_BUFFERS( + Utf16EncodeMaybeCopyAndReturnLength(spec.GetFileName(), buffer, buflen)); } FPDF_EXPORT FPDF_BOOL FPDF_CALLCONV @@ -216,8 +214,9 @@ FPDFAttachment_GetStringValue(FPDF_ATTACHMENT attachment, ->GetUnicodeText(); } } - - return Utf16EncodeMaybeCopyAndReturnLength(value, buffer, buflen); + // SAFETY: required from caller. + return UNSAFE_BUFFERS( + Utf16EncodeMaybeCopyAndReturnLength(value, buffer, buflen)); } FPDF_EXPORT FPDF_BOOL FPDF_CALLCONV @@ -260,9 +259,13 @@ FPDFAttachment_SetFile(FPDF_ATTACHMENT attachment, // Create the file stream and have the filespec dictionary link to it. const uint8_t* contents_as_bytes = static_cast<const uint8_t*>(contents); + + // TODO(crbug.com/pdfium/2155): resolve safety issues. auto pFileStream = pDoc->NewIndirect<CPDF_Stream>( - DataVector<uint8_t>(contents_as_bytes, contents_as_bytes + len), + DataVector<uint8_t>(contents_as_bytes, + UNSAFE_BUFFERS(contents_as_bytes + len)), std::move(pFileStreamDict)); + auto pEFDict = pFile->AsMutableDictionary()->SetNewFor<CPDF_Dictionary>("EF"); pEFDict->SetNewFor<CPDF_Reference>("F", pDoc, pFileStream->GetObjNum()); return true; diff --git a/fpdfsdk/fpdf_doc.cpp b/fpdfsdk/fpdf_doc.cpp index 8f2ad24ce..1dae6cb23 100644 --- a/fpdfsdk/fpdf_doc.cpp +++ b/fpdfsdk/fpdf_doc.cpp @@ -4,11 +4,6 @@ // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com -#if defined(UNSAFE_BUFFERS_BUILD) -// TODO(crbug.com/pdfium/2153): resolve buffer safety issues. -#pragma allow_unsafe_buffers -#endif - #include "public/fpdf_doc.h" #include <memory> @@ -120,7 +115,9 @@ FPDFBookmark_GetTitle(FPDF_BOOKMARK bookmark, CPDF_Bookmark cBookmark( pdfium::WrapRetain(CPDFDictionaryFromFPDFBookmark(bookmark))); WideString title = cBookmark.GetTitle(); - return Utf16EncodeMaybeCopyAndReturnLength(title, buffer, buflen); + // SAFETY: required from caller. + return UNSAFE_BUFFERS( + Utf16EncodeMaybeCopyAndReturnLength(title, buffer, buflen)); } FPDF_EXPORT int FPDF_CALLCONV FPDFBookmark_GetCount(FPDF_BOOKMARK bookmark) { @@ -222,10 +219,11 @@ FPDFAction_GetFilePath(FPDF_ACTION action, void* buffer, unsigned long buflen) { type != PDFACTION_LAUNCH) { return 0; } - CPDF_Action cAction(pdfium::WrapRetain(CPDFDictionaryFromFPDFAction(action))); ByteString path = cAction.GetFilePath().ToUTF8(); - return NulTerminateMaybeCopyAndReturnLength(path, buffer, buflen); + // SAFETY: required from caller. + return UNSAFE_BUFFERS( + NulTerminateMaybeCopyAndReturnLength(path, buffer, buflen)); } FPDF_EXPORT unsigned long FPDF_CALLCONV @@ -271,14 +269,15 @@ FPDFDest_GetView(FPDF_DEST dest, unsigned long* pNumParams, FS_FLOAT* pParams) { *pNumParams = 0; return 0; } - CPDF_Dest destination(pdfium::WrapRetain(CPDFArrayFromFPDFDest(dest))); const unsigned long nParams = pdfium::checked_cast<unsigned long>(destination.GetNumParams()); DCHECK(nParams <= 4); *pNumParams = nParams; - for (unsigned long i = 0; i < nParams; ++i) - pParams[i] = destination.GetParam(i); + for (unsigned long i = 0; i < nParams; ++i) { + // TODO(crbug.com/pdfium/2155): resolve safety issues. + UNSAFE_BUFFERS(pParams[i] = destination.GetParam(i)); + } return destination.GetZoomMode(); } @@ -490,8 +489,9 @@ FPDF_GetFileIdentifier(FPDF_DOCUMENT document, if (!pValue) return 0; - return NulTerminateMaybeCopyAndReturnLength(pValue->GetString(), buffer, - buflen); + // SAFETY: required from caller. + return UNSAFE_BUFFERS(NulTerminateMaybeCopyAndReturnLength( + pValue->GetString(), buffer, buflen)); } FPDF_EXPORT unsigned long FPDF_CALLCONV FPDF_GetMetaText(FPDF_DOCUMENT document, @@ -509,7 +509,10 @@ FPDF_EXPORT unsigned long FPDF_CALLCONV FPDF_GetMetaText(FPDF_DOCUMENT document, return 0; WideString text = pInfo->GetUnicodeTextFor(tag); - return Utf16EncodeMaybeCopyAndReturnLength(text, buffer, buflen); + + // SAFETY: required from caller. + return UNSAFE_BUFFERS( + Utf16EncodeMaybeCopyAndReturnLength(text, buffer, buflen)); } FPDF_EXPORT unsigned long FPDF_CALLCONV @@ -523,7 +526,10 @@ FPDF_GetPageLabel(FPDF_DOCUMENT document, // CPDF_PageLabel can deal with NULL |document|. CPDF_PageLabel label(CPDFDocumentFromFPDFDocument(document)); std::optional<WideString> str = label.GetLabel(page_index); - return str.has_value() - ? Utf16EncodeMaybeCopyAndReturnLength(str.value(), buffer, buflen) - : 0; + if (!str.has_value()) { + return 0; + } + // SAFETY: required from caller. + return UNSAFE_BUFFERS( + Utf16EncodeMaybeCopyAndReturnLength(str.value(), buffer, buflen)); } diff --git a/fpdfsdk/fpdf_editimg.cpp b/fpdfsdk/fpdf_editimg.cpp index fd44723d9..7ca3ac5bb 100644 --- a/fpdfsdk/fpdf_editimg.cpp +++ b/fpdfsdk/fpdf_editimg.cpp @@ -4,11 +4,6 @@ // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com -#if defined(UNSAFE_BUFFERS_BUILD) -// TODO(crbug.com/pdfium/2153): resolve buffer safety issues. -#pragma allow_unsafe_buffers -#endif - #include "public/fpdf_edit.h" #include <memory> @@ -27,6 +22,7 @@ #include "core/fpdfapi/render/cpdf_imagerenderer.h" #include "core/fpdfapi/render/cpdf_rendercontext.h" #include "core/fpdfapi/render/cpdf_renderstatus.h" +#include "core/fxcrt/compiler_specific.h" #include "core/fxcrt/notreached.h" #include "core/fxcrt/stl_util.h" #include "core/fxge/cfx_defaultrenderdevice.h" @@ -97,9 +93,11 @@ bool LoadJpegHelper(FPDF_PAGE* pages, if (pages) { for (int index = 0; index < count; index++) { - CPDF_Page* pPage = CPDFPageFromFPDFPage(pages[index]); - if (pPage) + // TODO(crbug.com/pdfium/2155): resolve safety issues. + CPDF_Page* pPage = CPDFPageFromFPDFPage(UNSAFE_BUFFERS(pages[index])); + if (pPage) { pImgObj->GetImage()->ResetCache(pPage); + } } } @@ -177,9 +175,11 @@ FPDFImageObj_SetBitmap(FPDF_PAGE* pages, if (pages) { for (int index = 0; index < count; index++) { - CPDF_Page* pPage = CPDFPageFromFPDFPage(pages[index]); - if (pPage) + // TODO(crbug.com/pdfium/2155): resolve safety issues. + CPDF_Page* pPage = CPDFPageFromFPDFPage(UNSAFE_BUFFERS(pages[index])); + if (pPage) { pImgObj->GetImage()->ResetCache(pPage); + } } } @@ -420,7 +420,9 @@ FPDFImageObj_GetImageFilter(FPDF_PAGEOBJECT image_object, ? pFilter->AsName()->GetString() : pFilter->AsArray()->GetByteStringAt(index); - return NulTerminateMaybeCopyAndReturnLength(bsFilter, buffer, buflen); + // SAFETY: required from caller. + return UNSAFE_BUFFERS( + NulTerminateMaybeCopyAndReturnLength(bsFilter, buffer, buflen)); } FPDF_EXPORT FPDF_BOOL FPDF_CALLCONV diff --git a/fpdfsdk/fpdf_editpage.cpp b/fpdfsdk/fpdf_editpage.cpp index 4ee20b1d7..72139131f 100644 --- a/fpdfsdk/fpdf_editpage.cpp +++ b/fpdfsdk/fpdf_editpage.cpp @@ -4,11 +4,6 @@ // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com -#if defined(UNSAFE_BUFFERS_BUILD) -// TODO(crbug.com/pdfium/2153): resolve buffer safety issues. -#pragma allow_unsafe_buffers -#endif - #include "public/fpdf_edit.h" #include <algorithm> @@ -369,12 +364,13 @@ FPDFPageObjMark_GetName(FPDF_PAGEOBJECTMARK mark, unsigned long* out_buflen) { const CPDF_ContentMarkItem* pMarkItem = CPDFContentMarkItemFromFPDFPageObjectMark(mark); - if (!pMarkItem || !out_buflen) + if (!pMarkItem || !out_buflen) { return false; - - *out_buflen = Utf16EncodeMaybeCopyAndReturnLength( + } + // SAFETY: required from caller. + *out_buflen = UNSAFE_BUFFERS(Utf16EncodeMaybeCopyAndReturnLength( WideString::FromUTF8(pMarkItem->GetName().AsStringView()), buffer, - buflen); + buflen)); return true; } @@ -405,8 +401,9 @@ FPDFPageObjMark_GetParamKey(FPDF_PAGEOBJECTMARK mark, CPDF_DictionaryLocker locker(pParams); for (auto& it : locker) { if (index == 0) { - *out_buflen = Utf16EncodeMaybeCopyAndReturnLength( - WideString::FromUTF8(it.first.AsStringView()), buffer, buflen); + // SAFETY: required from caller. + *out_buflen = UNSAFE_BUFFERS(Utf16EncodeMaybeCopyAndReturnLength( + WideString::FromUTF8(it.first.AsStringView()), buffer, buflen)); return true; } --index; @@ -462,8 +459,9 @@ FPDFPageObjMark_GetParamStringValue(FPDF_PAGEOBJECTMARK mark, if (!pObj || !pObj->IsString()) return false; - *out_buflen = Utf16EncodeMaybeCopyAndReturnLength( - WideString::FromUTF8(pObj->GetString().AsStringView()), buffer, buflen); + // SAFETY: required from caller. + *out_buflen = UNSAFE_BUFFERS(Utf16EncodeMaybeCopyAndReturnLength( + WideString::FromUTF8(pObj->GetString().AsStringView()), buffer, buflen)); return true; } @@ -1016,11 +1014,10 @@ FPDFPageObj_SetDashArray(FPDF_PAGEOBJECT page_object, std::vector<float> dashes; if (dash_count > 0) { dashes.reserve(dash_count); - dashes.assign(dash_array, dash_array + dash_count); + // TODO(crbug.com/pdfium/2155): resolve safety issues. + dashes.assign(dash_array, UNSAFE_BUFFERS(dash_array + dash_count)); } - pPageObj->mutable_graph_state().SetLineDash(dashes, phase, 1.0f); - pPageObj->SetDirty(true); return true; } diff --git a/fpdfsdk/fpdf_edittext.cpp b/fpdfsdk/fpdf_edittext.cpp index e9595a487..04d035a27 100644 --- a/fpdfsdk/fpdf_edittext.cpp +++ b/fpdfsdk/fpdf_edittext.cpp @@ -2,11 +2,6 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#if defined(UNSAFE_BUFFERS_BUILD) -// TODO(crbug.com/pdfium/2153): resolve buffer safety issues. -#pragma allow_unsafe_buffers -#endif - #include <map> #include <memory> #include <sstream> @@ -34,6 +29,7 @@ #include "core/fpdftext/cpdf_textpage.h" #include "core/fxcrt/check.h" #include "core/fxcrt/check_op.h" +#include "core/fxcrt/compiler_specific.h" #include "core/fxcrt/containers/contains.h" #include "core/fxcrt/fx_extension.h" #include "core/fxcrt/fx_memcpy_wrappers.h" @@ -621,7 +617,8 @@ FPDFText_SetCharcodes(FPDF_PAGEOBJECT text_object, ByteString byte_text; if (charcodes) { for (size_t i = 0; i < count; ++i) { - pTextObj->GetFont()->AppendChar(&byte_text, charcodes[i]); + // TODO(crbug.com/pdfium/2155): investigate safety issues. + pTextObj->GetFont()->AppendChar(&byte_text, UNSAFE_BUFFERS(charcodes[i])); } } pTextObj->SetText(byte_text); @@ -638,8 +635,8 @@ FPDF_EXPORT FPDF_FONT FPDF_CALLCONV FPDFText_LoadFont(FPDF_DOCUMENT document, (font_type != FPDF_FONT_TYPE1 && font_type != FPDF_FONT_TRUETYPE)) { return nullptr; } - - auto span = pdfium::make_span(data, size); + // SAFETY: required from caller. + auto span = UNSAFE_BUFFERS(pdfium::make_span(data, size)); auto pFont = std::make_unique<CFX_Font>(); // TODO(npm): Maybe use FT_Get_X11_Font_Format to check format? Otherwise, we @@ -678,8 +675,8 @@ FPDFText_LoadCidType2Font(FPDF_DOCUMENT document, cid_to_gid_map_data_size == 0) { return nullptr; } - - auto font_span = pdfium::make_span(font_data, font_data_size); + // SAFETY: required from caller. + auto font_span = UNSAFE_BUFFERS(pdfium::make_span(font_data, font_data_size)); auto font = std::make_unique<CFX_Font>(); // TODO(thestig): Consider checking the font format. See similar comment in @@ -727,7 +724,9 @@ FPDFTextObj_GetText(FPDF_PAGEOBJECT text_object, return 0; WideString text = pTextPage->GetTextByObject(pTextObj); - return Utf16EncodeMaybeCopyAndReturnLength(text, buffer, length); + // SAFETY: required from caller. + return UNSAFE_BUFFERS( + Utf16EncodeMaybeCopyAndReturnLength(text, buffer, length)); } FPDF_EXPORT FPDF_BITMAP FPDF_CALLCONV diff --git a/fpdfsdk/fpdf_ppo.cpp b/fpdfsdk/fpdf_ppo.cpp index 33cb246b2..a4faaa4c7 100644 --- a/fpdfsdk/fpdf_ppo.cpp +++ b/fpdfsdk/fpdf_ppo.cpp @@ -4,11 +4,6 @@ // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com -#if defined(UNSAFE_BUFFERS_BUILD) -// TODO(crbug.com/pdfium/2153): resolve buffer safety issues. -#pragma allow_unsafe_buffers -#endif - #include "public/fpdf_ppo.h" #include <algorithm> @@ -741,14 +736,13 @@ FPDF_ImportPagesByIndex(FPDF_DOCUMENT dest_doc, std::iota(page_indices_vec.begin(), page_indices_vec.end(), 0); return exporter.ExportPage(page_indices_vec, index); } - - if (length == 0) + if (length == 0) { return false; - - return exporter.ExportPage( - pdfium::make_span(reinterpret_cast<const uint32_t*>(page_indices), - length), - index); + } + // TODO(crbug.com/pdfium/2155): investigate safety issues. + auto page_span = UNSAFE_BUFFERS(pdfium::make_span( + reinterpret_cast<const uint32_t*>(page_indices), length)); + return exporter.ExportPage(page_span, index); } FPDF_EXPORT FPDF_BOOL FPDF_CALLCONV FPDF_ImportPages(FPDF_DOCUMENT dest_doc, diff --git a/fpdfsdk/fpdf_signature.cpp b/fpdfsdk/fpdf_signature.cpp index c7c41a725..2bcfa8b93 100644 --- a/fpdfsdk/fpdf_signature.cpp +++ b/fpdfsdk/fpdf_signature.cpp @@ -2,11 +2,6 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#if defined(UNSAFE_BUFFERS_BUILD) -// TODO(crbug.com/pdfium/2153): resolve buffer safety issues. -#pragma allow_unsafe_buffers -#endif - #include "public/fpdf_signature.h" #include <utility> @@ -121,8 +116,10 @@ FPDFSignatureObj_GetByteRange(FPDF_SIGNATURE signature, const unsigned long byte_range_len = fxcrt::CollectionSize<unsigned long>(*byte_range); if (buffer && length >= byte_range_len) { - for (size_t i = 0; i < byte_range_len; ++i) - buffer[i] = byte_range->GetIntegerAt(i); + for (size_t i = 0; i < byte_range_len; ++i) { + // TODO(crbug.com/pdfium/2155): resolve safety issue. + UNSAFE_BUFFERS(buffer[i] = byte_range->GetIntegerAt(i)); + } } return byte_range_len; } @@ -142,7 +139,10 @@ FPDFSignatureObj_GetSubFilter(FPDF_SIGNATURE signature, return 0; ByteString sub_filter = value_dict->GetNameFor("SubFilter"); - return NulTerminateMaybeCopyAndReturnLength(sub_filter, buffer, length); + + // SAFETY: required from caller. + return UNSAFE_BUFFERS( + NulTerminateMaybeCopyAndReturnLength(sub_filter, buffer, length)); } FPDF_EXPORT unsigned long FPDF_CALLCONV @@ -163,8 +163,9 @@ FPDFSignatureObj_GetReason(FPDF_SIGNATURE signature, if (!obj || !obj->IsString()) return 0; - return Utf16EncodeMaybeCopyAndReturnLength(obj->GetUnicodeText(), buffer, - length); + // SAFETY: required from caller. + return UNSAFE_BUFFERS(Utf16EncodeMaybeCopyAndReturnLength( + obj->GetUnicodeText(), buffer, length)); } FPDF_EXPORT unsigned long FPDF_CALLCONV @@ -185,7 +186,9 @@ FPDFSignatureObj_GetTime(FPDF_SIGNATURE signature, if (!obj || !obj->IsString()) return 0; - return NulTerminateMaybeCopyAndReturnLength(obj->GetString(), buffer, length); + // SAFETY: required from caller. + return UNSAFE_BUFFERS( + NulTerminateMaybeCopyAndReturnLength(obj->GetString(), buffer, length)); } FPDF_EXPORT unsigned int FPDF_CALLCONV diff --git a/fpdfsdk/fpdf_view.cpp b/fpdfsdk/fpdf_view.cpp index 3f9a7f0dd..7955f2dfe 100644 --- a/fpdfsdk/fpdf_view.cpp +++ b/fpdfsdk/fpdf_view.cpp @@ -4,11 +4,6 @@ // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com -#if defined(UNSAFE_BUFFERS_BUILD) -// TODO(crbug.com/pdfium/2153): resolve buffer safety issues. -#pragma allow_unsafe_buffers -#endif - #include "public/fpdfview.h" #include <memory> @@ -349,21 +344,22 @@ FPDF_LoadMemDocument(const void* data_buf, int size, FPDF_BYTESTRING password) { if (size < 0) { return nullptr; } - - return LoadDocumentImpl( - pdfium::MakeRetain<CFX_ReadOnlySpanStream>(pdfium::make_span( - static_cast<const uint8_t*>(data_buf), static_cast<size_t>(size))), - password); + // SAFETY: required from caller. + auto data_span = UNSAFE_BUFFERS(pdfium::make_span( + static_cast<const uint8_t*>(data_buf), static_cast<size_t>(size))); + return LoadDocumentImpl(pdfium::MakeRetain<CFX_ReadOnlySpanStream>(data_span), + password); } FPDF_EXPORT FPDF_DOCUMENT FPDF_CALLCONV FPDF_LoadMemDocument64(const void* data_buf, size_t size, FPDF_BYTESTRING password) { - return LoadDocumentImpl( - pdfium::MakeRetain<CFX_ReadOnlySpanStream>( - pdfium::make_span(static_cast<const uint8_t*>(data_buf), size)), - password); + // SAFETY: required from caller. + auto data_span = UNSAFE_BUFFERS( + pdfium::make_span(static_cast<const uint8_t*>(data_buf), size)); + return LoadDocumentImpl(pdfium::MakeRetain<CFX_ReadOnlySpanStream>(data_span), + password); } FPDF_EXPORT FPDF_DOCUMENT FPDF_CALLCONV @@ -1107,10 +1103,12 @@ FPDF_VIEWERREF_GetName(FPDF_DOCUMENT document, CPDF_ViewerPreferences viewRef(pDoc); std::optional<ByteString> bsVal = viewRef.GenericName(key); - if (!bsVal.has_value()) + if (!bsVal.has_value()) { return 0; - - return NulTerminateMaybeCopyAndReturnLength(bsVal.value(), buffer, length); + } + // SAFETY: required from caller. + return UNSAFE_BUFFERS( + NulTerminateMaybeCopyAndReturnLength(bsVal.value(), buffer, length)); } FPDF_EXPORT FPDF_DWORD FPDF_CALLCONV @@ -1312,11 +1310,12 @@ FPDF_GetXFAPacketName(FPDF_DOCUMENT document, std::vector<XFAPacket> xfa_packets = GetXFAPackets(GetXFAEntryFromDocument(doc)); - if (static_cast<size_t>(index) >= xfa_packets.size()) + if (static_cast<size_t>(index) >= xfa_packets.size()) { return 0; - - return NulTerminateMaybeCopyAndReturnLength(xfa_packets[index].name, buffer, - buflen); + } + // TODO(crbug.com/pdfium/2155): resolve safety issues. + return UNSAFE_BUFFERS(NulTerminateMaybeCopyAndReturnLength( + xfa_packets[index].name, buffer, buflen)); } FPDF_EXPORT FPDF_BOOL FPDF_CALLCONV @@ -1356,7 +1355,8 @@ FPDF_GetTrailerEnds(FPDF_DOCUMENT document, const unsigned long trailer_ends_len = fxcrt::CollectionSize<unsigned long>(trailer_ends); if (buffer && length >= trailer_ends_len) { - fxcrt::spancpy(pdfium::make_span(buffer, length), + // SAFETY: required from caller. + fxcrt::spancpy(UNSAFE_BUFFERS(pdfium::make_span(buffer, length)), pdfium::make_span(trailer_ends)); } |