summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Sepez <tsepez@chromium.org>2015-02-05 10:41:08 -0800
committerTom Sepez <tsepez@chromium.org>2015-02-05 10:41:08 -0800
commit219b3dab7e184bf8742f61527e37053b04903ff0 (patch)
tree8ce24202dc2fd5a61774c947e5eecf007bea6bf9
parentdabc5d57bf473708295800a7991bc1fafdf76288 (diff)
downloadpdfium-219b3dab7e184bf8742f61527e37053b04903ff0.tar.xz
Fix segv in CPDF_DataAvail::CheckRoot() when /Root object is a string.
Handles the case of this malformed PDF without crashing. Note that to get a reproducible test case, a small fix is applied to our .py script which results in some whitespace/numbering difs across the resources (down the road, we ought to generate them on the fly in an intermediate directory). BUG=454695 R=jun_fang@foxitsoftware.com, thestig@chromium.org Review URL: https://codereview.chromium.org/895933003
Diffstat
-rw-r--r--core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp7
-rw-r--r--fpdfsdk/src/fpdfview_embeddertest.cpp4
-rw-r--r--testing/resources/bug_451265.pdf30
-rw-r--r--testing/resources/bug_452455.pdf36
-rw-r--r--testing/resources/bug_454695.in12
-rw-r--r--testing/resources/bug_454695.pdf17
-rw-r--r--testing/resources/bug_57.pdf12
-rw-r--r--testing/resources/hello_world.pdf14
-rw-r--r--testing/resources/named_dests.pdf46
-rw-r--r--testing/resources/trailer_as_hexstring.pdf9
-rw-r--r--testing/resources/trailer_unterminated.pdf8
-rw-r--r--testing/resources/weblinks.pdf14
-rwxr-xr-xtesting/tools/fixup_pdf_template.py6
13 files changed, 128 insertions, 87 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index 16274088c0..4ed4c70e27 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -3390,7 +3390,12 @@ FX_BOOL CPDF_DataAvail::CheckRoot(IFX_DownloadHints* pHints)
}
return FALSE;
}
- CPDF_Reference* pRef = (CPDF_Reference*)m_pRoot->GetDict()->GetElement(FX_BSTRC("Pages"));
+ CPDF_Dictionary* pDict = m_pRoot->GetDict();
+ if (!pDict) {
+ m_docStatus = PDF_DATAAVAIL_ERROR;
+ return FALSE;
+ }
+ CPDF_Reference* pRef = (CPDF_Reference*)pDict->GetElement(FX_BSTRC("Pages"));
if (pRef == NULL || pRef->GetType() != PDFOBJ_REFERENCE) {
m_docStatus = PDF_DATAAVAIL_ERROR;
return FALSE;
diff --git a/fpdfsdk/src/fpdfview_embeddertest.cpp b/fpdfsdk/src/fpdfview_embeddertest.cpp
index 04549741ec..47119b5c52 100644
--- a/fpdfsdk/src/fpdfview_embeddertest.cpp
+++ b/fpdfsdk/src/fpdfview_embeddertest.cpp
@@ -190,3 +190,7 @@ TEST_F(FPDFViewEmbeddertest, Crasher_452455) {
FPDF_PAGE page = LoadPage(0);
EXPECT_NE(nullptr, page);
}
+
+TEST_F(FPDFViewEmbeddertest, Crasher3) {
+ EXPECT_TRUE(OpenDocument("testing/resources/bug_454695.pdf"));
+}
diff --git a/testing/resources/bug_451265.pdf b/testing/resources/bug_451265.pdf
index 299363dac7..2a154771aa 100644
--- a/testing/resources/bug_451265.pdf
+++ b/testing/resources/bug_451265.pdf
@@ -74,21 +74,21 @@ endstream
endobj
xref
0 15
-0000000000 65536 f
-0000000015 00000 n
-0000000078 00000 n
-0000000131 00000 n
-0000000000 65536 f
-0000000000 65536 f
-0000000000 65536 f
-0000000000 65536 f
-0000000000 65536 f
-0000000000 65536 f
-0000000221 00000 n
-0000000348 00000 n
-0000000405 00000 n
-0000000531 00000 n
-0000000712 00000 n
+0000000000 65535 f
+0000000015 00000 n
+0000000078 00000 n
+0000000131 00000 n
+0000000000 65535 f
+0000000000 65535 f
+0000000000 65535 f
+0000000000 65535 f
+0000000000 65535 f
+0000000000 65535 f
+0000000221 00000 n
+0000000348 00000 n
+0000000405 00000 n
+0000000531 00000 n
+0000000712 00000 n
trailer <<
/Root 2 0 R
/Size 110
diff --git a/testing/resources/bug_452455.pdf b/testing/resources/bug_452455.pdf
index 35d067cb29..95ab801884 100644
--- a/testing/resources/bug_452455.pdf
+++ b/testing/resources/bug_452455.pdf
@@ -57,24 +57,24 @@ endobj
endobj
xref
0 18
-0000000000 65536 f
-0000000015 00000 n
-0000000068 00000 n
-0000000131 00000 n
-0000000000 65536 f
-0000000000 65536 f
-0000000000 65536 f
-0000000000 65536 f
-0000000000 65536 f
-0000000000 65536 f
-0000000221 00000 n
-0000000280 00000 n
-0000000340 00000 n
-0000000000 65536 f
-0000000000 65536 f
-0000000000 65536 f
-0000000555 00000 n
-0000000389 00000 n
+0000000000 65535 f
+0000000015 00000 n
+0000000068 00000 n
+0000000131 00000 n
+0000000000 65535 f
+0000000000 65535 f
+0000000000 65535 f
+0000000000 65535 f
+0000000000 65535 f
+0000000000 65535 f
+0000000221 00000 n
+0000000280 00000 n
+0000000340 00000 n
+0000000000 65535 f
+0000000000 65535 f
+0000000000 65535 f
+0000000555 00000 n
+0000000389 00000 n
trailer <<
/Root 1 0 R
>>
diff --git a/testing/resources/bug_454695.in b/testing/resources/bug_454695.in
new file mode 100644
index 0000000000..36ae84cb0d
--- /dev/null
+++ b/testing/resources/bug_454695.in
@@ -0,0 +1,12 @@
+{{header}}
+% Hex string, not a dict as expected.
+{{object 1 0}}
+<feedbeef2dad>
+endobj
+{{xref}}
+trailer <<
+ /Size 2
+ /Root 1 0 R
+>>
+{{startxref}}
+%%EOF
diff --git a/testing/resources/bug_454695.pdf b/testing/resources/bug_454695.pdf
new file mode 100644
index 0000000000..382194f9e8
--- /dev/null
+++ b/testing/resources/bug_454695.pdf
@@ -0,0 +1,17 @@
+%PDF-1.7
+% ò¤ô
+% Hex string, not a dict as expected
+1 0 obj
+<feedbeef2dad>
+endobj
+xref
+0 2
+0000000000 65535 f
+0000000052 00000 n
+trailer <<
+ /Size 2
+ /Root 1 0 R
+>>
+startxref
+82
+%%EOF
diff --git a/testing/resources/bug_57.pdf b/testing/resources/bug_57.pdf
index d954c43f54..0c3f7dfdab 100644
--- a/testing/resources/bug_57.pdf
+++ b/testing/resources/bug_57.pdf
@@ -42,12 +42,12 @@ endstream
endobj
xref
0 6
-0000000000 65536 f
-0000000015 00000 n
-0000000061 00000 n
-0000000154 00000 n
-0000000280 00000 n
-0000000409 00000 n
+0000000000 65535 f
+0000000015 00000 n
+0000000061 00000 n
+0000000154 00000 n
+0000000280 00000 n
+0000000409 00000 n
trailer <<
/Size 6
/Root 1 0 R
diff --git a/testing/resources/hello_world.pdf b/testing/resources/hello_world.pdf
index 84e77057cb..bb4f0a88e7 100644
--- a/testing/resources/hello_world.pdf
+++ b/testing/resources/hello_world.pdf
@@ -50,13 +50,13 @@ endstream
endobj
xref
0 7
-0000000000 65536 f
-0000000015 00000 n
-0000000061 00000 n
-0000000154 00000 n
-0000000296 00000 n
-0000000374 00000 n
-0000000450 00000 n
+0000000000 65535 f
+0000000015 00000 n
+0000000061 00000 n
+0000000154 00000 n
+0000000296 00000 n
+0000000374 00000 n
+0000000450 00000 n
trailer <<
/Size 6
/Root 1 0 R
diff --git a/testing/resources/named_dests.pdf b/testing/resources/named_dests.pdf
index e302c196d6..2e0e5ce71d 100644
--- a/testing/resources/named_dests.pdf
+++ b/testing/resources/named_dests.pdf
@@ -103,29 +103,29 @@ endstream
endobj
xref
0 23
-0000000000 65536 f
-0000000015 00000 n
-0000000119 00000 n
-0000000217 00000 n
-0000000378 00000 n
-0000000000 65536 f
-0000000000 65536 f
-0000000000 65536 f
-0000000000 65536 f
-0000000000 65536 f
-0000000548 00000 n
-0000000638 00000 n
-0000000766 00000 n
-0000000000 65536 f
-0000001060 00000 n
-0000001188 00000 n
-0000000000 65536 f
-0000000000 65536 f
-0000000000 65536 f
-0000000000 65536 f
-0000000000 65536 f
-0000001283 00000 n
-0000001393 00000 n
+0000000000 65535 f
+0000000015 00000 n
+0000000119 00000 n
+0000000217 00000 n
+0000000378 00000 n
+0000000000 65535 f
+0000000000 65535 f
+0000000000 65535 f
+0000000000 65535 f
+0000000000 65535 f
+0000000548 00000 n
+0000000638 00000 n
+0000000766 00000 n
+0000000000 65535 f
+0000001060 00000 n
+0000001188 00000 n
+0000000000 65535 f
+0000000000 65535 f
+0000000000 65535 f
+0000000000 65535 f
+0000000000 65535 f
+0000001283 00000 n
+0000001393 00000 n
trailer <<
/Size 6
/Root 1 0 R
diff --git a/testing/resources/trailer_as_hexstring.pdf b/testing/resources/trailer_as_hexstring.pdf
index 5b75a53afa..bd94c4779d 100644
--- a/testing/resources/trailer_as_hexstring.pdf
+++ b/testing/resources/trailer_as_hexstring.pdf
@@ -25,10 +25,11 @@ endobj
endobj
xref
0 4
-0000000000 65536 f
-0000000015 00000 n
-0000000119 00000 n
-0000000190 00000 n
+0000000000 65535 f
+0000000015 00000 n
+0000000119 00000 n
+0000000190 00000 n
+% trailer erroneously contains a hex string, not a dictionary.
trailer <0000deadbabe0000>
startxref
267
diff --git a/testing/resources/trailer_unterminated.pdf b/testing/resources/trailer_unterminated.pdf
index b01ec4b67d..be59202db4 100644
--- a/testing/resources/trailer_unterminated.pdf
+++ b/testing/resources/trailer_unterminated.pdf
@@ -25,10 +25,10 @@ endobj
endobj
xref
0 4
-0000000000 65536 f
-0000000015 00000 n
-0000000119 00000 n
-0000000190 00000 n
+0000000000 65535 f
+0000000015 00000 n
+0000000119 00000 n
+0000000190 00000 n
% closing angle-brackets not present for trailer dictionary.
trailer <<
/Size 6
diff --git a/testing/resources/weblinks.pdf b/testing/resources/weblinks.pdf
index 3921a37c79..0d201a45aa 100644
--- a/testing/resources/weblinks.pdf
+++ b/testing/resources/weblinks.pdf
@@ -60,13 +60,13 @@ endstream
endobj
xref
0 7
-0000000000 65536 f
-0000000015 00000 n
-0000000061 00000 n
-0000000154 00000 n
-0000000374 00000 n
-0000000000 65536 f
-0000000450 00000 n
+0000000000 65535 f
+0000000015 00000 n
+0000000061 00000 n
+0000000154 00000 n
+0000000374 00000 n
+0000000000 65535 f
+0000000450 00000 n
trailer <<
/Size 6
/Root 1 0 R
diff --git a/testing/tools/fixup_pdf_template.py b/testing/tools/fixup_pdf_template.py
index 873caeedde..87996a42cd 100755
--- a/testing/tools/fixup_pdf_template.py
+++ b/testing/tools/fixup_pdf_template.py
@@ -24,8 +24,10 @@ class TemplateProcessor:
XREF_TOKEN = '{{xref}}'
XREF_REPLACEMENT = 'xref\n%d %d\n'
- XREF_REPLACEMENT_N = '%010d %05d n\n'
- XREF_REPLACEMENT_F = '0000000000 65536 f\n'
+
+ # XREF rows must be exactly 20 bytes - space required.
+ XREF_REPLACEMENT_N = '%010d %05d n \n'
+ XREF_REPLACEMENT_F = '0000000000 65535 f \n'
STARTXREF_TOKEN= '{{startxref}}'
STARTXREF_REPLACEMENT = 'startxref\n%d'
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-17 21:25:44 +0000