Welcome to PDFium Security!
We want to standardize on handling integer overflows by:
- Preferring new and new instead of calloc, wherever possible.
- In places where the code is not ready to be turned into idiomatic C++, preferring calloc to malloc; definitely prefer calloc to malloc + memset.
- Preferring CheckedNumeric<T> to ad hoc checks.
- For convenience, use the existing typedefs for clarity, e.g. typedef base::CheckedNumeric<FX_DWORD> FX_SAFE_DWORD;. If you need more typedefs like this, or if you need them more widely visible, don't hesitate to make the change.
Yes, that might look odd. Currently, the codebase mixes C++ and C memory allocation, and ultimately, we'd like to get the code to idiomatic C++11, but we're going to get there incrementally.
We want to standardize on handling uninitialized memory references with:
- Default constructors that do the right thing.
- Explicit initial values for all POD members in header files.
- The top line/subject line of the commit message should always be as explicit as possible. Not just "fix bug", but "Fix UAF in ModulateFooContainer" or "Fix UMR in thing::DoStuff".
- No more non-const references (especially when used as out-parameters).
- Use std::unique_ptr and pdfium::RetainPtr. No more naked new.