diff options
author | Lei Zhang <thestig@chromium.org> | 2018-07-18 05:07:28 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-07-18 05:07:28 +0000 |
commit | 30688fb1c434b141380aa224da12e8246a8a78e1 (patch) | |
tree | cb563a2c26204c74b003bc8e126faa5d6323f7c6 | |
parent | beb56d69a7a57317d521bab927a651fb260f5404 (diff) | |
download | pdfium-chromium/3496.tar.xz |
Do not add invalid objects to the cross reference table.chromium/3496
BUG=chromium:851994
Change-Id: I2e14401271c70afa204221e0f3d469f0b82ce8cf
Reviewed-on: https://pdfium-review.googlesource.com/37871
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Art Snake <art-snake@yandex-team.ru>
-rw-r--r-- | core/fpdfapi/parser/cpdf_cross_ref_table.cpp | 17 | ||||
-rw-r--r-- | core/fpdfapi/parser/cpdf_parser.cpp | 3 |
2 files changed, 19 insertions, 1 deletions
diff --git a/core/fpdfapi/parser/cpdf_cross_ref_table.cpp b/core/fpdfapi/parser/cpdf_cross_ref_table.cpp index 4be91745d8..77c0e8136c 100644 --- a/core/fpdfapi/parser/cpdf_cross_ref_table.cpp +++ b/core/fpdfapi/parser/cpdf_cross_ref_table.cpp @@ -7,6 +7,7 @@ #include <utility> #include "core/fpdfapi/parser/cpdf_dictionary.h" +#include "core/fpdfapi/parser/cpdf_parser.h" // static std::unique_ptr<CPDF_CrossRefTable> CPDF_CrossRefTable::MergeUp( @@ -31,6 +32,12 @@ CPDF_CrossRefTable::~CPDF_CrossRefTable() = default; void CPDF_CrossRefTable::AddCompressed(uint32_t obj_num, uint32_t archive_obj_num) { + if (obj_num >= CPDF_Parser::kMaxObjectNumber || + archive_obj_num >= CPDF_Parser::kMaxObjectNumber) { + NOTREACHED(); + return; + } + auto& info = objects_info_[obj_num]; if (info.gennum > 0) return; @@ -48,6 +55,11 @@ void CPDF_CrossRefTable::AddCompressed(uint32_t obj_num, void CPDF_CrossRefTable::AddNormal(uint32_t obj_num, uint16_t gen_num, FX_FILESIZE pos) { + if (obj_num >= CPDF_Parser::kMaxObjectNumber) { + NOTREACHED(); + return; + } + auto& info = objects_info_[obj_num]; if (info.gennum > gen_num) return; @@ -63,6 +75,11 @@ void CPDF_CrossRefTable::AddNormal(uint32_t obj_num, } void CPDF_CrossRefTable::SetFree(uint32_t obj_num) { + if (obj_num >= CPDF_Parser::kMaxObjectNumber) { + NOTREACHED(); + return; + } + auto& info = objects_info_[obj_num]; info.type = ObjectType::kFree; info.gennum = 0xFFFF; diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp index 54e05245a9..ecc0546de0 100644 --- a/core/fpdfapi/parser/cpdf_parser.cpp +++ b/core/fpdfapi/parser/cpdf_parser.cpp @@ -777,7 +777,8 @@ bool CPDF_Parser::RebuildCrossRef() { } } } - cross_ref_table->AddNormal(objnum, gennum, obj_pos); + if (objnum < kMaxObjectNumber) + cross_ref_table->AddNormal(objnum, gennum, obj_pos); } state = ParserState::kDefault; break; |