Fix the potential integer overflow from "offset + size".

BUG=382667 R=jschuh@chromium.org, jun_fang@foxitsoftware.com Review URL: https://codereview.chromium.org/390983007
author: Chris Palmer <palmer@google.com> 2014-07-18 15:18:43 -0700
committer: Chris Palmer <palmer@google.com> 2014-07-18 15:18:43 -0700
commit: 98a44a176d137083434587fb5ebc53c6d963ff7f (patch)
tree: bb276e4674360135ba9eda2c6299b00f6dfb5bc8
parent: 5ffacd677a141ed2756009b0f4a07ee4cf284a1b (diff)
download: pdfium-98a44a176d137083434587fb5ebc53c6d963ff7f.tar.xz
1 files changed, 19 insertions, 5 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index f82bf3a861..14597d989c 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -2864,13 +2864,27 @@ FX_BOOL CPDF_DataAvail::IsObjectsAvail(CFX_PtrArray& obj_array, FX_BOOL bParsePa
                     CPDF_Reference *pRef = (CPDF_Reference*)pObj;
                     FX_DWORD dwNum = pRef->GetRefObjNum();
                     FX_FILESIZE offset;
-                    FX_DWORD size = GetObjectSize(pRef->GetRefObjNum(), offset);
-                    if (!size) {
+                    FX_DWORD original_size = GetObjectSize(dwNum, offset);
+                    base::CheckedNumeric<FX_DWORD> size = original_size;
+                    if (size.ValueOrDefault(0) == 0 || offset < 0 || offset >= m_dwFileLen) {
                         break;
                     }
-                    size = (FX_DWORD)((FX_FILESIZE)(offset + size + 512) > m_dwFileLen ? m_dwFileLen - offset : size + 512);
-                    if (!m_pFileAvail->IsDataAvail(offset, size)) {
-                        pHints->AddSegment(offset, size);
+
+                    size += offset;
+                    size += 512;
+                    if (!size.IsValid()) {
+                        break;
+                    }
+                    if (size.ValueOrDie() > m_dwFileLen) {
+                        size = m_dwFileLen - offset;
+                    } else {
+                        size = original_size + 512;
+                    }
+                    if (!size.IsValid()) {
+                        break;
+                    }
+                    if (!m_pFileAvail->IsDataAvail(offset, size.ValueOrDie())) {
+                        pHints->AddSegment(offset, size.ValueOrDie());
                         ret_array.Add(pObj);
                         count++;
                     } else if (!m_objnum_array.Find(dwNum)) {
author	Chris Palmer <palmer@google.com>	2014-07-18 15:18:43 -0700
committer	Chris Palmer <palmer@google.com>	2014-07-18 15:18:43 -0700
commit	98a44a176d137083434587fb5ebc53c6d963ff7f (patch)
tree	bb276e4674360135ba9eda2c6299b00f6dfb5bc8
parent	5ffacd677a141ed2756009b0f4a07ee4cf284a1b (diff)
download	pdfium-98a44a176d137083434587fb5ebc53c6d963ff7f.tar.xz