diff options
| author | Bo Xu <bo_xu@foxitsoftware.com> | 2014-09-19 15:58:46 -0700 |
|---|---|---|
| committer | Bo Xu <bo_xu@foxitsoftware.com> | 2014-09-19 15:58:46 -0700 |
| commit | 2d282243dbd1edd51d42e13f563903a1a76ce8f8 (patch) | |
| tree | 7c9304f433840c28e904d5294ab6b3b19aff9db4 | |
| parent | 26019d4a79c84843c710cd9505bd40e9da0ca4c6 (diff) | |
| download | pdfium-chromium/2165.tar.xz | |
Fix a bug when assign the generation number of indirect objectschromium/2166chromium/2165
BUG=408532
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/524443002
| -rw-r--r-- | core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 28 | ||||
| -rw-r--r-- | core/src/fxcrt/fx_basic_gcc.cpp | 4 |
2 files changed, 19 insertions, 13 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp index 73ae71cda0..e9c0fdd227 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp @@ -1312,8 +1312,8 @@ void CPDF_Parser::GetIndirectBinary(FX_DWORD objnum, FX_LPBYTE& pBuffer, FX_DWOR m_Syntax.RestorePos(SavedPos); return; } - FX_DWORD real_objnum = FXSYS_atoi(word); - if (real_objnum && real_objnum != objnum) { + FX_DWORD parser_objnum = FXSYS_atoi(word); + if (parser_objnum && parser_objnum != objnum) { m_Syntax.RestorePos(SavedPos); return; } @@ -1377,8 +1377,8 @@ CPDF_Object* CPDF_Parser::ParseIndirectObjectAt(CPDF_IndirectObjects* pObjList, } FX_FILESIZE objOffset = m_Syntax.SavePos(); objOffset -= word.GetLength(); - FX_DWORD real_objnum = FXSYS_atoi(word); - if (objnum && real_objnum != objnum) { + FX_DWORD parser_objnum = FXSYS_atoi(word); + if (objnum && parser_objnum != objnum) { m_Syntax.RestorePos(SavedPos); return NULL; } @@ -1387,21 +1387,23 @@ CPDF_Object* CPDF_Parser::ParseIndirectObjectAt(CPDF_IndirectObjects* pObjList, m_Syntax.RestorePos(SavedPos); return NULL; } - FX_DWORD gennum = FXSYS_atoi(word); + FX_DWORD parser_gennum = FXSYS_atoi(word); if (m_Syntax.GetKeyword() != FX_BSTRC("obj")) { m_Syntax.RestorePos(SavedPos); return NULL; } - CPDF_Object* pObj = m_Syntax.GetObject(pObjList, objnum, gennum, 0, pContext); + CPDF_Object* pObj = m_Syntax.GetObject(pObjList, objnum, parser_gennum, 0, pContext); FX_FILESIZE endOffset = m_Syntax.SavePos(); CFX_ByteString bsWord = m_Syntax.GetKeyword(); if (bsWord == FX_BSTRC("endobj")) { endOffset = m_Syntax.SavePos(); } m_Syntax.RestorePos(SavedPos); - if (pObj && !objnum) { - pObj->m_ObjNum = real_objnum; - pObj->m_GenNum = gennum; + if (pObj) { + if (!objnum) { + pObj->m_ObjNum = parser_objnum; + } + pObj->m_GenNum = parser_gennum; } return pObj; } @@ -1416,8 +1418,8 @@ CPDF_Object* CPDF_Parser::ParseIndirectObjectAtByStrict(CPDF_IndirectObjects* pO m_Syntax.RestorePos(SavedPos); return NULL; } - FX_DWORD real_objnum = FXSYS_atoi(word); - if (objnum && real_objnum != objnum) { + FX_DWORD parser_objnum = FXSYS_atoi(word); + if (objnum && parser_objnum != objnum) { m_Syntax.RestorePos(SavedPos); return NULL; } @@ -3466,8 +3468,8 @@ CPDF_Object * CPDF_DataAvail::ParseIndirectObjectAt(FX_FILESIZE pos, FX_DWORD ob if (!bIsNumber) { return NULL; } - FX_DWORD real_objnum = FXSYS_atoi(word); - if (objnum && real_objnum != objnum) { + FX_DWORD parser_objnum = FXSYS_atoi(word); + if (objnum && parser_objnum != objnum) { return NULL; } word = m_syntaxParser.GetNextWord(bIsNumber); diff --git a/core/src/fxcrt/fx_basic_gcc.cpp b/core/src/fxcrt/fx_basic_gcc.cpp index 7f5bbade66..93c71ce660 100644 --- a/core/src/fxcrt/fx_basic_gcc.cpp +++ b/core/src/fxcrt/fx_basic_gcc.cpp @@ -4,6 +4,7 @@ // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com +#include <limits> #include "../../include/fxcrt/fx_ext.h" template <class T, class STR_T> T FXSYS_StrToInt(STR_T str) @@ -21,6 +22,9 @@ T FXSYS_StrToInt(STR_T str) if ((*str) < '0' || (*str) > '9') { break; } + if (num > (std::numeric_limits<T>::max() - 9) / 10) { + break; + } num = num * 10 + (*str) - '0'; str ++; } |