diff options
| author | Lei Zhang <thestig@chromium.org> | 2016-01-13 12:19:21 -0800 |
|---|---|---|
| committer | Lei Zhang <thestig@chromium.org> | 2016-01-13 12:19:21 -0800 |
| commit | 19dee922f1284294bed29b26a67cce1d2ee3a48f (patch) | |
| tree | 06ae5379e0c856228316f4611b745e529d1042b4 | |
| parent | 5da3cab4f2d9e97eb84483fc0ec13ead2a48e443 (diff) | |
| download | pdfium-19dee922f1284294bed29b26a67cce1d2ee3a48f.tar.xz | |
Merge to XFA: Fix out of bound access in CPDF_Parser::ParseIndirectObject().
This regressed in commit f6dafc9.
BUG=576915
TBR=tsepez@chromium.org
Review URL: https://codereview.chromium.org/1582763002 .
(cherry picked from commit e02f30bb59b01c159b010fc5c6bb55e677aba8ce)
Review URL: https://codereview.chromium.org/1584663003 .
| -rw-r--r-- | core/include/fpdfapi/fpdf_parser.h | 1 | ||||
| -rw-r--r-- | core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 22 |
2 files changed, 20 insertions, 3 deletions
diff --git a/core/include/fpdfapi/fpdf_parser.h b/core/include/fpdfapi/fpdf_parser.h index 84eacf6bf5..fda4557119 100644 --- a/core/include/fpdfapi/fpdf_parser.h +++ b/core/include/fpdfapi/fpdf_parser.h @@ -475,6 +475,7 @@ class CPDF_Parser { void SetEncryptDictionary(CPDF_Dictionary* pDict); FX_FILESIZE GetObjectPositionOrZero(FX_DWORD objnum) const; + void ShrinkObjectMap(FX_DWORD size); CPDF_Document* m_pDocument; diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp index 641e1e18ff..73da3619bb 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp @@ -143,6 +143,22 @@ FX_FILESIZE CPDF_Parser::GetObjectPositionOrZero(FX_DWORD objnum) const { return it != m_ObjectInfo.end() ? it->second.pos : 0; } +void CPDF_Parser::ShrinkObjectMap(FX_DWORD objnum) { + if (objnum == 0) { + m_ObjectInfo.clear(); + return; + } + + auto it = m_ObjectInfo.lower_bound(objnum); + while (it != m_ObjectInfo.end()) { + auto saved_it = it++; + m_ObjectInfo.erase(saved_it); + } + + if (!pdfium::ContainsKey(m_ObjectInfo, objnum - 1)) + m_ObjectInfo[objnum - 1].pos = 0; +} + void CPDF_Parser::CloseParser(FX_BOOL bReParse) { m_bVersionUpdated = FALSE; if (!bReParse) { @@ -379,7 +395,7 @@ FX_BOOL CPDF_Parser::LoadAllCrossRefV4(FX_FILESIZE xrefpos) { if (xrefsize <= 0 || xrefsize > kMaxXRefSize) { return FALSE; } - m_ObjectInfo[0].pos = 0; + ShrinkObjectMap(xrefsize); m_V5Type.SetSize(xrefsize); CFX_FileSizeArray CrossRefList; CFX_FileSizeArray XRefStreamList; @@ -1029,7 +1045,7 @@ FX_BOOL CPDF_Parser::LoadCrossRefV5(FX_FILESIZE* pos, FX_BOOL bMainXRef) { } if (bMainXRef) { m_pTrailer = ToDictionary(pStream->GetDict()->Clone()); - m_ObjectInfo[0].pos = 0; + ShrinkObjectMap(size); if (m_V5Type.SetSize(size)) { FXSYS_memset(m_V5Type.GetData(), 0, size); } @@ -1607,7 +1623,7 @@ FX_DWORD CPDF_Parser::StartAsynParse(IFX_FileRead* pFileAccess, int32_t xrefsize = GetDirectInteger(m_pTrailer, "Size"); if (xrefsize > 0) { - m_ObjectInfo[0].pos = 0; + ShrinkObjectMap(xrefsize); m_V5Type.SetSize(xrefsize); } } |