diff options
author | Tom Sepez <tsepez@chromium.org> | 2015-04-27 13:24:03 -0700 |
---|---|---|
committer | Tom Sepez <tsepez@chromium.org> | 2015-04-27 13:24:03 -0700 |
commit | bb93b0ba5b3c430d3b996e2c009d48feb17a44c3 (patch) | |
tree | 6f62b5280dd1755d8b52c775484b20cbe22fd7d5 | |
parent | 99ee3d3527bc00f83f01e1db007d190a6b3458f5 (diff) | |
download | pdfium-bb93b0ba5b3c430d3b996e2c009d48feb17a44c3.tar.xz |
SEGV in CFX_BaseSegmentedArray::Iterate() when CS has malformed dictionary.
Failure to check document-controlled value before using it.
BUG=481363
R=palmer@chromium.org, thestig@chromium.org
Review URL: https://codereview.chromium.org/1110653002
-rw-r--r-- | core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp | 3 | ||||
-rw-r--r-- | core/src/fpdfapi/fpdf_parser/fpdf_parser_parser_embeddertest.cpp | 5 | ||||
-rw-r--r-- | testing/resources/bug_481363.in | 52 | ||||
-rw-r--r-- | testing/resources/bug_481363.pdf | 62 |
4 files changed, 122 insertions, 0 deletions
diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp index fc4e282f10..b6bf7950ff 100644 --- a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp +++ b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp @@ -438,6 +438,9 @@ public: FX_BOOL CPDF_LabCS::v_Load(CPDF_Document* pDoc, CPDF_Array* pArray) { CPDF_Dictionary* pDict = pArray->GetDict(1); + if (!pDict) { + return FALSE; + } CPDF_Array* pParam = pDict->GetArray(FX_BSTRC("WhitePoint")); int i; for (i = 0; i < 3; i ++) { diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser_embeddertest.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser_embeddertest.cpp index 838c4316de..e00887ff5f 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser_embeddertest.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser_embeddertest.cpp @@ -13,3 +13,8 @@ TEST_F(FPDFParserEmbeddertest, LoadError_454695) { EXPECT_TRUE(OpenDocument("testing/resources/bug_454695.pdf")); } +TEST_F(FPDFParserEmbeddertest, Bug_481363) { + // Test colorspace object with malformed dictionary. + EXPECT_TRUE(OpenDocument("testing/resources/bug_481363.pdf")); + EXPECT_NE(nullptr, LoadPage(0)); +} diff --git a/testing/resources/bug_481363.in b/testing/resources/bug_481363.in new file mode 100644 index 0000000000..32a724d363 --- /dev/null +++ b/testing/resources/bug_481363.in @@ -0,0 +1,52 @@ +{{header}} +{{object 1 0}} << + /Type /Pages + /Kids [2 0 R] + /Count 1 +>> +endobj +{{object 2 0}} << +<< + /Type /Page + /Parent 1 0 R + /MediaBox [0 0 612 792] + /Contents [4 0 R] + /Resources << + /Font <</F1 5 0 R>> + /ColorSpace<</CS1 6 0 R>> + >> +>> +endobj +{{object 3 0}} << + /Type /Catalog + /Pages 1 0 R +>> +endobj +{{object 4 0}} << + /Length 0 +>> stream +/CS1 cs 0 -100 -100 sc +100 500 100 100 re b +endstream +endobj +{{object 5 0)) << + /Type /Font + /Subtype /Type1 + /BaseFont /He +>> +endobj +% Dictionary object malformed: 4< vs <<. +{{object 6 0}} [ + /Lab 4< + /WhitePoint [0.9505 1.00 1.0890 ] + /Range [-100 100 -100 100 ] + >> +] +endobj +{{xref}} +trailer << + /Size 0 + /Root 3 0 R +>> +{{startxref}} +%%EOF diff --git a/testing/resources/bug_481363.pdf b/testing/resources/bug_481363.pdf new file mode 100644 index 0000000000..53468a0412 --- /dev/null +++ b/testing/resources/bug_481363.pdf @@ -0,0 +1,62 @@ +%PDF-1.7 +% ò¤ô +1 0 obj << + /Type /Pages + /Kids [2 0 R] + /Count 1 +>> +endobj +2 0 obj << +<< + /Type /Page + /Parent 1 0 R + /MediaBox [0 0 612 792] + /Contents [4 0 R] + /Resources << + /Font <</F1 5 0 R>> + /ColorSpace<</CS1 6 0 R>> + >> +>> +endobj +3 0 obj << + /Type /Catalog + /Pages 1 0 R +>> +endobj +4 0 obj << + /Length 0 +>> stream +/CS1 cs 0 -100 -100 sc +100 500 100 100 re b +endstream +endobj +{{object 5 0)) << + /Type /Font + /Subtype /Type1 + /BaseFont /He +>> +endobj +% Dictionary object malformed: 4< vs <<. +6 0 obj [ + /Lab 4< + /WhitePoint [0.9505 1.00 1.0890 ] + /Range [-100 100 -100 100 ] + >> +] +endobj +xref +0 7 +0000000000 65535 f +0000000015 00000 n +0000000078 00000 n +0000000253 00000 n +0000000306 00000 n +0000000000 65535 f +0000000517 00000 n +trailer << + /Size 0 + /Root 3 0 R +>> +startxref +621 +%%EOF |