Do not parse references with invalid objnum

We should not have valid objects where the object number is
CPDF_Object::kInvalidObjNum.

BUG=pdfium:609

Review-Url: https://codereview.chromium.org/2610393004

4 files changed, 21 insertions, 6 deletions

diff --git a/core/fpdfapi/parser/cpdf_reference.cpp b/core/fpdfapi/parser/cpdf_reference.cpp
index 8f44aa0200..67b67c24dd 100644
--- a/core/fpdfapi/parser/cpdf_reference.cpp
+++ b/core/fpdfapi/parser/cpdf_reference.cpp
@@ -10,7 +10,7 @@
 #include "third_party/base/ptr_util.h"
 #include "third_party/base/stl_util.h"
 
-CPDF_Reference::CPDF_Reference(CPDF_IndirectObjectHolder* pDoc, int objnum)
+CPDF_Reference::CPDF_Reference(CPDF_IndirectObjectHolder* pDoc, uint32_t objnum)
     : m_pObjList(pDoc), m_RefObjNum(objnum) {}
 
 CPDF_Reference::~CPDF_Reference() {}
diff --git a/core/fpdfapi/parser/cpdf_reference.h b/core/fpdfapi/parser/cpdf_reference.h
index 5597142b95..be7f18478e 100644
--- a/core/fpdfapi/parser/cpdf_reference.h
+++ b/core/fpdfapi/parser/cpdf_reference.h
@@ -16,7 +16,7 @@ class CPDF_IndirectObjectHolder;
 
 class CPDF_Reference : public CPDF_Object {
  public:
-  CPDF_Reference(CPDF_IndirectObjectHolder* pDoc, int objnum);
+  CPDF_Reference(CPDF_IndirectObjectHolder* pDoc, uint32_t objnum);
   ~CPDF_Reference() override;
 
   // CPDF_Object:
diff --git a/core/fpdfapi/parser/cpdf_syntax_parser.cpp b/core/fpdfapi/parser/cpdf_syntax_parser.cpp
index 48d77c2cbd..1b81b98c96 100644
--- a/core/fpdfapi/parser/cpdf_syntax_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_syntax_parser.cpp
@@ -386,8 +386,10 @@ std::unique_ptr<CPDF_Object> CPDF_SyntaxParser::GetObject(
     if (bIsNumber) {
       CFX_ByteString nextword2 = GetNextWord(nullptr);
       if (nextword2 == "R") {
-        return pdfium::MakeUnique<CPDF_Reference>(pObjList,
-                                                  FXSYS_atoui(word.c_str()));
+        uint32_t objnum = FXSYS_atoui(word.c_str());
+        if (objnum == CPDF_Object::kInvalidObjNum)
+          return nullptr;
+        return pdfium::MakeUnique<CPDF_Reference>(pObjList, objnum);
       }
     }
     m_Pos = SavedPos;
@@ -505,8 +507,10 @@ std::unique_ptr<CPDF_Object> CPDF_SyntaxParser::GetObjectForStrict(
     if (bIsNumber) {
       CFX_ByteString nextword2 = GetNextWord(nullptr);
       if (nextword2 == "R") {
-        return pdfium::MakeUnique<CPDF_Reference>(pObjList,
-                                                  FXSYS_atoui(word.c_str()));
+        uint32_t objnum = FXSYS_atoui(word.c_str());
+        if (objnum == CPDF_Object::kInvalidObjNum)
+          return nullptr;
+        return pdfium::MakeUnique<CPDF_Reference>(pObjList, objnum);
       }
     }
     m_Pos = SavedPos;
diff --git a/core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp b/core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp
index faaa83dd19..64c33ba9cd 100644
--- a/core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp
+++ b/core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp
@@ -5,6 +5,7 @@
 #include <limits>
 #include <string>
 
+#include "core/fpdfapi/parser/cpdf_object.h"
 #include "core/fpdfapi/parser/cpdf_parser.h"
 #include "core/fpdfapi/parser/cpdf_syntax_parser.h"
 #include "core/fxcrt/fx_ext.h"
@@ -143,3 +144,13 @@ TEST(cpdf_syntax_parser, ReadHexString) {
     EXPECT_EQ(1, parser.SavePos());
   }
 }
+
+TEST(cpdf_syntax_parser, GetInvalidReference) {
+  CPDF_SyntaxParser parser;
+  // Data with a reference with number CPDF_Object::kInvalidObjNum
+  uint8_t data[] = "4294967295 0 R";
+  parser.InitParser(IFX_MemoryStream::Create(data, 14, false), 0);
+  std::unique_ptr<CPDF_Object> ref =
+      parser.GetObject(nullptr, CPDF_Object::kInvalidObjNum, 0, false);
+  EXPECT_FALSE(ref);
+}