Chromium‎ > ‎Chromium Security‎ > ‎

PDFium Security

Welcome to PDFium Security!

Basic Info

Integer Overflow

We want to standardize on handling integer overflows by:
  1. Preferring new[] and new instead of calloc, wherever possible.
  2. In places where the code is not ready to be turned into idiomatic C++, preferring calloc to malloc; definitely prefer calloc to malloc + memset.
  3. Preferring CheckedNumeric<T> to ad hoc checks.
    • For convenience, use the existing typedefs for clarity, e.g. typedef base::CheckedNumeric<FX_DWORD> FX_SAFE_DWORD;. If you need more typedefs like this, or if you need them more widely visible, don't hesitate to make the change.
Yes, that might look odd. Currently, the codebase mixes C++ and C memory allocation, and ultimately, we'd like to get the code to idiomatic C++11, but we're going to get there incrementally.

Uninitialized Memory References

We want to standardize on handling uninitialized memory references with:
  1. Default constructors that do the right thing.
  2. Explicit initial values for all POD members in header files.

Git Workflow

  • The top line/subject line of the commit message should always be as explicit as possible. Not just "fix bug", but "Fix UAF in ModulateFooContainer" or "Fix UMR in thing::DoStuff".

Future Desiderata

  • No more non-const references (especially when used as out-parameters).
  • Use std::unique_ptr and pdfium::RetainPtr. No more naked new.