search

danilevsky / pdfium

Automatically exported from code.google.com/p/pdfium
0 stars 0 forks source link

XFA: CFX_FontMgrImp::m_Hash2FileAccess vulnerable to hash collsions #141

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
It appears that in both CFX_FontMgrImp::LoadFont()s, either a name 
    bsHash += CFX_WideString(pszFileName).UTF8Encode(); 
or a pointer
    FX_LPVOID Hash[1] = {(FX_LPVOID)(FX_UINTPTR)pFontStream};
    FX_DWORD dwHash = FX_HashCode_String_GetA((FX_LPCSTR)Hash, 1 * sizeof (FX_LPVOID));

is reduced to a key, and then used to index into a map without further 
validation upon return that the item corresponded to the original key.
Furthermore it appears to be storing only one item per key, so that a collision 
loses items, etc.

Undoubtedly the right thing to to is to replace the table with an appropriate 
STL container thus avoiding botches in custom-written containers.

Original issue reported on code.google.com by tsepez@chromium.org on 21 Apr 2015 at 4:43

GoogleCodeExporter commented 9 years ago

Original comment by tsepez@chromium.org on 21 Apr 2015 at 6:40