summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Sepez <tsepez@chromium.org>2015-01-23 15:33:44 -0800
committerTom Sepez <tsepez@chromium.org>2015-01-23 15:33:44 -0800
commit2255a1bb3719b8492c795c8828d861bae037f6b9 (patch)
tree64e7db2ae5219f121d027b7a314ad514f85826ea
parent1b1bb499613adc8b051ed602b04bea8758e582e6 (diff)
downloadpdfium-2255a1bb3719b8492c795c8828d861bae037f6b9.tar.xz
Merge to XFA: Fix null crash in CheckTrailer.
This includes: fa370ac Fix test naming in previous commit. e0bbe4a Fix null crash in CheckTrailer. TBR=bo_xu@foxitsoftware.com Review URL: https://codereview.chromium.org/870173002
-rw-r--r--BUILD.gn1
-rw-r--r--core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp6
-rw-r--r--fpdfsdk/src/fpdf_dataavail_embeddertest.cpp23
-rw-r--r--pdfium.gyp1
-rw-r--r--testing/embedder_test.h2
-rw-r--r--testing/resources/trailer_as_hexstring.in29
-rw-r--r--testing/resources/trailer_as_hexstring.pdf35
-rw-r--r--testing/resources/trailer_unterminated.in31
-rw-r--r--testing/resources/trailer_unterminated.pdf38
9 files changed, 162 insertions, 4 deletions
diff --git a/BUILD.gn b/BUILD.gn
index 87f360d2b5..9c1120f50e 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -1563,6 +1563,7 @@ test("pdfium_unittests") {
test("pdfium_embeddertests") {
sources = [
+ "fpdfsdk/src/fpdf_dataavail_embeddertest.cpp",
"fpdfsdk/src/fpdfdoc_embeddertest.cpp",
"fpdfsdk/src/fpdfview_embeddertest.cpp",
"testing/embedder_test.cpp",
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index 7af595de38..b759cc8a70 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -4030,14 +4030,14 @@ FX_BOOL CPDF_DataAvail::CheckTrailer(IFX_DownloadHints* pHints)
CFX_SmartPointer<IFX_FileStream> file(FX_CreateMemoryStream(pBuf, (size_t)iSize, FALSE));
m_syntaxParser.InitParser((IFX_FileStream*)file, 0);
CPDF_Object *pTrailer = m_syntaxParser.GetObject(NULL, 0, 0, 0);
- if (pTrailer->GetType() != PDFOBJ_DICTIONARY) {
- return FALSE;
- }
if (!pTrailer) {
m_Pos += m_syntaxParser.SavePos();
pHints->AddSegment(m_Pos, iTrailerSize);
return FALSE;
}
+ if (pTrailer->GetType() != PDFOBJ_DICTIONARY) {
+ return FALSE;
+ }
CPDF_Dictionary *pTrailerDict = pTrailer->GetDict();
if (pTrailerDict) {
CPDF_Object *pEncrypt = pTrailerDict->GetElement("Encrypt");
diff --git a/fpdfsdk/src/fpdf_dataavail_embeddertest.cpp b/fpdfsdk/src/fpdf_dataavail_embeddertest.cpp
new file mode 100644
index 0000000000..6081fa52ac
--- /dev/null
+++ b/fpdfsdk/src/fpdf_dataavail_embeddertest.cpp
@@ -0,0 +1,23 @@
+// Copyright 2015 PDFium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "../../testing/embedder_test.h"
+#include "../../fpdfsdk/include/fpdfview.h"
+#include "../../fpdfsdk/include/fpdfdoc.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+class FPDFDataAvailEmbeddertest : public EmbedderTest {
+};
+
+TEST_F(FPDFDataAvailEmbeddertest, TrailerUnterminated) {
+ // Document must open without crashing but is too malformed to be available.
+ EXPECT_TRUE(OpenDocument("testing/resources/trailer_unterminated.pdf"));
+ EXPECT_FALSE(FPDFAvail_IsDocAvail(avail_, &hints_));
+}
+
+TEST_F(FPDFDataAvailEmbeddertest, TrailerAsHexstring) {
+ // Document must open without crashing but is too malformed to be available.
+ EXPECT_TRUE(OpenDocument("testing/resources/trailer_as_hexstring.pdf"));
+ EXPECT_FALSE(FPDFAvail_IsDocAvail(avail_, &hints_));
+}
diff --git a/pdfium.gyp b/pdfium.gyp
index a3f72156ff..8dba6afc0e 100644
--- a/pdfium.gyp
+++ b/pdfium.gyp
@@ -920,6 +920,7 @@
'<(DEPTH)'
],
'sources': [
+ 'fpdfsdk/src/fpdf_dataavail_embeddertest.cpp',
'fpdfsdk/src/fpdfdoc_embeddertest.cpp',
'fpdfsdk/src/fpdfview_embeddertest.cpp',
'testing/embedder_test.cpp',
diff --git a/testing/embedder_test.h b/testing/embedder_test.h
index 48ea415e19..3eb3be606f 100644
--- a/testing/embedder_test.h
+++ b/testing/embedder_test.h
@@ -65,7 +65,7 @@ class EmbedderTest : public ::testing::Test {
// is prohibited after this call is made.
virtual void UnloadPage(FPDF_PAGE page, FPDF_FORMHANDLE form);
- private:
+ protected:
FPDF_DOCUMENT document_;
FPDF_AVAIL avail_;
FX_DOWNLOADHINTS hints_;
diff --git a/testing/resources/trailer_as_hexstring.in b/testing/resources/trailer_as_hexstring.in
new file mode 100644
index 0000000000..ec2368fab4
--- /dev/null
+++ b/testing/resources/trailer_as_hexstring.in
@@ -0,0 +1,29 @@
+{{header}}
+{{object 1 0}} <<
+ /Type /Catalog
+ /Pages 2 0 R
+ /Names <<
+ /Dests 10 0 R
+ >>
+ /Dests 14 0 R
+>>
+endobj
+{{object 2 0}} <<
+ /Type /Pages
+ /Count 1
+ /Kids [
+ 3 0 R
+ ]
+>>
+endobj
+{{object 3 0}} <<
+ /Type /Page
+ /Parent 2 0 R
+ /MediaBox [0 0 612 792]
+>>
+endobj
+{{xref}}
+% trailer erroneously contains a hex string, not a dictionary.
+trailer <0000deadbabe0000>
+{{startxref}}
+%%EOF
diff --git a/testing/resources/trailer_as_hexstring.pdf b/testing/resources/trailer_as_hexstring.pdf
new file mode 100644
index 0000000000..5b75a53afa
--- /dev/null
+++ b/testing/resources/trailer_as_hexstring.pdf
@@ -0,0 +1,35 @@
+%PDF-1.7
+% ò¤ô
+1 0 obj <<
+ /Type /Catalog
+ /Pages 2 0 R
+ /Names <<
+ /Dests 10 0 R
+ >>
+ /Dests 14 0 R
+>>
+endobj
+2 0 obj <<
+ /Type /Pages
+ /Count 1
+ /Kids [
+ 3 0 R
+ ]
+>>
+endobj
+3 0 obj <<
+ /Type /Page
+ /Parent 2 0 R
+ /MediaBox [0 0 612 792]
+>>
+endobj
+xref
+0 4
+0000000000 65536 f
+0000000015 00000 n
+0000000119 00000 n
+0000000190 00000 n
+trailer <0000deadbabe0000>
+startxref
+267
+%%EOF
diff --git a/testing/resources/trailer_unterminated.in b/testing/resources/trailer_unterminated.in
new file mode 100644
index 0000000000..c0c74b749c
--- /dev/null
+++ b/testing/resources/trailer_unterminated.in
@@ -0,0 +1,31 @@
+{{header}}
+{{object 1 0}} <<
+ /Type /Catalog
+ /Pages 2 0 R
+ /Names <<
+ /Dests 10 0 R
+ >>
+ /Dests 14 0 R
+>>
+endobj
+{{object 2 0}} <<
+ /Type /Pages
+ /Count 1
+ /Kids [
+ 3 0 R
+ ]
+>>
+endobj
+{{object 3 0}} <<
+ /Type /Page
+ /Parent 2 0 R
+ /MediaBox [0 0 612 792]
+>>
+endobj
+{{xref}}
+% closing angle-brackets not present for trailer dictionary.
+trailer <<
+ /Size 6
+ /Root 1 0 R
+{{startxref}}
+%%EOF
diff --git a/testing/resources/trailer_unterminated.pdf b/testing/resources/trailer_unterminated.pdf
new file mode 100644
index 0000000000..b01ec4b67d
--- /dev/null
+++ b/testing/resources/trailer_unterminated.pdf
@@ -0,0 +1,38 @@
+%PDF-1.7
+% ò¤ô
+1 0 obj <<
+ /Type /Catalog
+ /Pages 2 0 R
+ /Names <<
+ /Dests 10 0 R
+ >>
+ /Dests 14 0 R
+>>
+endobj
+2 0 obj <<
+ /Type /Pages
+ /Count 1
+ /Kids [
+ 3 0 R
+ ]
+>>
+endobj
+3 0 obj <<
+ /Type /Page
+ /Parent 2 0 R
+ /MediaBox [0 0 612 792]
+>>
+endobj
+xref
+0 4
+0000000000 65536 f
+0000000015 00000 n
+0000000119 00000 n
+0000000190 00000 n
+% closing angle-brackets not present for trailer dictionary.
+trailer <<
+ /Size 6
+ /Root 1 0 R
+startxref
+267
+%%EOF