diff options
author | Tom Sepez <tsepez@chromium.org> | 2015-02-05 10:41:08 -0800 |
---|---|---|
committer | Tom Sepez <tsepez@chromium.org> | 2015-02-05 10:41:08 -0800 |
commit | 219b3dab7e184bf8742f61527e37053b04903ff0 (patch) | |
tree | 8ce24202dc2fd5a61774c947e5eecf007bea6bf9 | |
parent | dabc5d57bf473708295800a7991bc1fafdf76288 (diff) | |
download | pdfium-219b3dab7e184bf8742f61527e37053b04903ff0.tar.xz |
Fix segv in CPDF_DataAvail::CheckRoot() when /Root object is a string.
Handles the case of this malformed PDF without crashing. Note that to
get a reproducible test case, a small fix is applied to our .py script
which results in some whitespace/numbering difs across the resources
(down the road, we ought to generate them on the fly in an intermediate
directory).
BUG=454695
R=jun_fang@foxitsoftware.com, thestig@chromium.org
Review URL: https://codereview.chromium.org/895933003
-rw-r--r-- | core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 7 | ||||
-rw-r--r-- | fpdfsdk/src/fpdfview_embeddertest.cpp | 4 | ||||
-rw-r--r-- | testing/resources/bug_451265.pdf | 30 | ||||
-rw-r--r-- | testing/resources/bug_452455.pdf | 36 | ||||
-rw-r--r-- | testing/resources/bug_454695.in | 12 | ||||
-rw-r--r-- | testing/resources/bug_454695.pdf | 17 | ||||
-rw-r--r-- | testing/resources/bug_57.pdf | 12 | ||||
-rw-r--r-- | testing/resources/hello_world.pdf | 14 | ||||
-rw-r--r-- | testing/resources/named_dests.pdf | 46 | ||||
-rw-r--r-- | testing/resources/trailer_as_hexstring.pdf | 9 | ||||
-rw-r--r-- | testing/resources/trailer_unterminated.pdf | 8 | ||||
-rw-r--r-- | testing/resources/weblinks.pdf | 14 | ||||
-rwxr-xr-x | testing/tools/fixup_pdf_template.py | 6 |
13 files changed, 128 insertions, 87 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp index 16274088c0..4ed4c70e27 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp @@ -3390,7 +3390,12 @@ FX_BOOL CPDF_DataAvail::CheckRoot(IFX_DownloadHints* pHints) } return FALSE; } - CPDF_Reference* pRef = (CPDF_Reference*)m_pRoot->GetDict()->GetElement(FX_BSTRC("Pages")); + CPDF_Dictionary* pDict = m_pRoot->GetDict(); + if (!pDict) { + m_docStatus = PDF_DATAAVAIL_ERROR; + return FALSE; + } + CPDF_Reference* pRef = (CPDF_Reference*)pDict->GetElement(FX_BSTRC("Pages")); if (pRef == NULL || pRef->GetType() != PDFOBJ_REFERENCE) { m_docStatus = PDF_DATAAVAIL_ERROR; return FALSE; diff --git a/fpdfsdk/src/fpdfview_embeddertest.cpp b/fpdfsdk/src/fpdfview_embeddertest.cpp index 04549741ec..47119b5c52 100644 --- a/fpdfsdk/src/fpdfview_embeddertest.cpp +++ b/fpdfsdk/src/fpdfview_embeddertest.cpp @@ -190,3 +190,7 @@ TEST_F(FPDFViewEmbeddertest, Crasher_452455) { FPDF_PAGE page = LoadPage(0); EXPECT_NE(nullptr, page); } + +TEST_F(FPDFViewEmbeddertest, Crasher3) { + EXPECT_TRUE(OpenDocument("testing/resources/bug_454695.pdf")); +} diff --git a/testing/resources/bug_451265.pdf b/testing/resources/bug_451265.pdf index 299363dac7..2a154771aa 100644 --- a/testing/resources/bug_451265.pdf +++ b/testing/resources/bug_451265.pdf @@ -74,21 +74,21 @@ endstream endobj xref 0 15 -0000000000 65536 f -0000000015 00000 n -0000000078 00000 n -0000000131 00000 n -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000221 00000 n -0000000348 00000 n -0000000405 00000 n -0000000531 00000 n -0000000712 00000 n +0000000000 65535 f +0000000015 00000 n +0000000078 00000 n +0000000131 00000 n +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000221 00000 n +0000000348 00000 n +0000000405 00000 n +0000000531 00000 n +0000000712 00000 n trailer << /Root 2 0 R /Size 110 diff --git a/testing/resources/bug_452455.pdf b/testing/resources/bug_452455.pdf index 35d067cb29..95ab801884 100644 --- a/testing/resources/bug_452455.pdf +++ b/testing/resources/bug_452455.pdf @@ -57,24 +57,24 @@ endobj endobj xref 0 18 -0000000000 65536 f -0000000015 00000 n -0000000068 00000 n -0000000131 00000 n -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000221 00000 n -0000000280 00000 n -0000000340 00000 n -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000555 00000 n -0000000389 00000 n +0000000000 65535 f +0000000015 00000 n +0000000068 00000 n +0000000131 00000 n +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000221 00000 n +0000000280 00000 n +0000000340 00000 n +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000555 00000 n +0000000389 00000 n trailer << /Root 1 0 R >> diff --git a/testing/resources/bug_454695.in b/testing/resources/bug_454695.in new file mode 100644 index 0000000000..36ae84cb0d --- /dev/null +++ b/testing/resources/bug_454695.in @@ -0,0 +1,12 @@ +{{header}} +% Hex string, not a dict as expected. +{{object 1 0}} +<feedbeef2dad> +endobj +{{xref}} +trailer << + /Size 2 + /Root 1 0 R +>> +{{startxref}} +%%EOF diff --git a/testing/resources/bug_454695.pdf b/testing/resources/bug_454695.pdf new file mode 100644 index 0000000000..382194f9e8 --- /dev/null +++ b/testing/resources/bug_454695.pdf @@ -0,0 +1,17 @@ +%PDF-1.7 +% ò¤ô +% Hex string, not a dict as expected +1 0 obj +<feedbeef2dad> +endobj +xref +0 2 +0000000000 65535 f +0000000052 00000 n +trailer << + /Size 2 + /Root 1 0 R +>> +startxref +82 +%%EOF diff --git a/testing/resources/bug_57.pdf b/testing/resources/bug_57.pdf index d954c43f54..0c3f7dfdab 100644 --- a/testing/resources/bug_57.pdf +++ b/testing/resources/bug_57.pdf @@ -42,12 +42,12 @@ endstream endobj xref 0 6 -0000000000 65536 f -0000000015 00000 n -0000000061 00000 n -0000000154 00000 n -0000000280 00000 n -0000000409 00000 n +0000000000 65535 f +0000000015 00000 n +0000000061 00000 n +0000000154 00000 n +0000000280 00000 n +0000000409 00000 n trailer << /Size 6 /Root 1 0 R diff --git a/testing/resources/hello_world.pdf b/testing/resources/hello_world.pdf index 84e77057cb..bb4f0a88e7 100644 --- a/testing/resources/hello_world.pdf +++ b/testing/resources/hello_world.pdf @@ -50,13 +50,13 @@ endstream endobj xref 0 7 -0000000000 65536 f -0000000015 00000 n -0000000061 00000 n -0000000154 00000 n -0000000296 00000 n -0000000374 00000 n -0000000450 00000 n +0000000000 65535 f +0000000015 00000 n +0000000061 00000 n +0000000154 00000 n +0000000296 00000 n +0000000374 00000 n +0000000450 00000 n trailer << /Size 6 /Root 1 0 R diff --git a/testing/resources/named_dests.pdf b/testing/resources/named_dests.pdf index e302c196d6..2e0e5ce71d 100644 --- a/testing/resources/named_dests.pdf +++ b/testing/resources/named_dests.pdf @@ -103,29 +103,29 @@ endstream endobj xref 0 23 -0000000000 65536 f -0000000015 00000 n -0000000119 00000 n -0000000217 00000 n -0000000378 00000 n -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000548 00000 n -0000000638 00000 n -0000000766 00000 n -0000000000 65536 f -0000001060 00000 n -0000001188 00000 n -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000001283 00000 n -0000001393 00000 n +0000000000 65535 f +0000000015 00000 n +0000000119 00000 n +0000000217 00000 n +0000000378 00000 n +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000548 00000 n +0000000638 00000 n +0000000766 00000 n +0000000000 65535 f +0000001060 00000 n +0000001188 00000 n +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000001283 00000 n +0000001393 00000 n trailer << /Size 6 /Root 1 0 R diff --git a/testing/resources/trailer_as_hexstring.pdf b/testing/resources/trailer_as_hexstring.pdf index 5b75a53afa..bd94c4779d 100644 --- a/testing/resources/trailer_as_hexstring.pdf +++ b/testing/resources/trailer_as_hexstring.pdf @@ -25,10 +25,11 @@ endobj endobj xref 0 4 -0000000000 65536 f -0000000015 00000 n -0000000119 00000 n -0000000190 00000 n +0000000000 65535 f +0000000015 00000 n +0000000119 00000 n +0000000190 00000 n +% trailer erroneously contains a hex string, not a dictionary. trailer <0000deadbabe0000> startxref 267 diff --git a/testing/resources/trailer_unterminated.pdf b/testing/resources/trailer_unterminated.pdf index b01ec4b67d..be59202db4 100644 --- a/testing/resources/trailer_unterminated.pdf +++ b/testing/resources/trailer_unterminated.pdf @@ -25,10 +25,10 @@ endobj endobj xref 0 4 -0000000000 65536 f -0000000015 00000 n -0000000119 00000 n -0000000190 00000 n +0000000000 65535 f +0000000015 00000 n +0000000119 00000 n +0000000190 00000 n % closing angle-brackets not present for trailer dictionary. trailer << /Size 6 diff --git a/testing/resources/weblinks.pdf b/testing/resources/weblinks.pdf index 3921a37c79..0d201a45aa 100644 --- a/testing/resources/weblinks.pdf +++ b/testing/resources/weblinks.pdf @@ -60,13 +60,13 @@ endstream endobj xref 0 7 -0000000000 65536 f -0000000015 00000 n -0000000061 00000 n -0000000154 00000 n -0000000374 00000 n -0000000000 65536 f -0000000450 00000 n +0000000000 65535 f +0000000015 00000 n +0000000061 00000 n +0000000154 00000 n +0000000374 00000 n +0000000000 65535 f +0000000450 00000 n trailer << /Size 6 /Root 1 0 R diff --git a/testing/tools/fixup_pdf_template.py b/testing/tools/fixup_pdf_template.py index 873caeedde..87996a42cd 100755 --- a/testing/tools/fixup_pdf_template.py +++ b/testing/tools/fixup_pdf_template.py @@ -24,8 +24,10 @@ class TemplateProcessor: XREF_TOKEN = '{{xref}}' XREF_REPLACEMENT = 'xref\n%d %d\n' - XREF_REPLACEMENT_N = '%010d %05d n\n' - XREF_REPLACEMENT_F = '0000000000 65536 f\n' + + # XREF rows must be exactly 20 bytes - space required. + XREF_REPLACEMENT_N = '%010d %05d n \n' + XREF_REPLACEMENT_F = '0000000000 65535 f \n' STARTXREF_TOKEN= '{{startxref}}' STARTXREF_REPLACEMENT = 'startxref\n%d' |