diff options
| author | thestig <thestig@chromium.org> | 2016-08-29 10:05:27 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-08-29 10:05:27 -0700 |
| commit | a032f7f79c67ddef4db0f44fca8f0d245bfb8e82 (patch) | |
| tree | bed23df7989999479ea99b94fa21b7a581b75134 | |
| parent | 81ee14da357bb8bb141930d96e07a46f6d472720 (diff) | |
| download | pdfium-a032f7f79c67ddef4db0f44fca8f0d245bfb8e82.tar.xz | |
Add some limit checks to ReadSharedObjHintTable().
BUG=641444
Review-Url: https://codereview.chromium.org/2283893003
| -rw-r--r-- | core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp | 6 | ||||
| -rw-r--r-- | core/fpdfapi/fpdf_parser/cpdf_parser.cpp | 4 | ||||
| -rw-r--r-- | core/fpdfapi/fpdf_parser/include/cpdf_parser.h | 6 |
3 files changed, 10 insertions, 6 deletions
diff --git a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp index 4363d3924c..fd8765a2d2 100644 --- a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp +++ b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp @@ -278,6 +278,12 @@ bool CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream, // greatest and least length of a shared object group, in bytes. uint32_t dwDeltaGroupLen = hStream->GetBits(16); + if (dwFirstSharedObjNum >= CPDF_Parser::kMaxObjectNumber || + m_nFirstPageSharedObjs >= CPDF_Parser::kMaxObjectNumber || + dwSharedObjTotal >= CPDF_Parser::kMaxObjectNumber) { + return false; + } + int nFirstPageObjNum = GetFirstPageObjectNumber(); if (nFirstPageObjNum < 0) return false; diff --git a/core/fpdfapi/fpdf_parser/cpdf_parser.cpp b/core/fpdfapi/fpdf_parser/cpdf_parser.cpp index 9d26104caa..bd6c8648e0 100644 --- a/core/fpdfapi/fpdf_parser/cpdf_parser.cpp +++ b/core/fpdfapi/fpdf_parser/cpdf_parser.cpp @@ -29,10 +29,6 @@ namespace { // this may be large enough in practice. const int32_t kMaxXRefSize = 1048576; -// A limit on the maximum object number in the xref table. Theoretical limits -// are higher, but this may be large enough in practice. -const uint32_t kMaxObjectNumber = 1048576; - uint32_t GetVarInt(const uint8_t* p, int32_t n) { uint32_t result = 0; for (int32_t i = 0; i < n; ++i) diff --git a/core/fpdfapi/fpdf_parser/include/cpdf_parser.h b/core/fpdfapi/fpdf_parser/include/cpdf_parser.h index 3d2408fad1..5d6d6f93fc 100644 --- a/core/fpdfapi/fpdf_parser/include/cpdf_parser.h +++ b/core/fpdfapi/fpdf_parser/include/cpdf_parser.h @@ -34,6 +34,10 @@ class CPDF_Parser { HANDLER_ERROR }; + // A limit on the maximum object number in the xref table. Theoretical limits + // are higher, but this may be large enough in practice. + static const uint32_t kMaxObjectNumber = 1048576; + CPDF_Parser(); ~CPDF_Parser(); @@ -170,8 +174,6 @@ class CPDF_Parser { // All indirect object numbers that are being parsed. std::set<uint32_t> m_ParsingObjNums; - - }; #endif // CORE_FPDFAPI_FPDF_PARSER_INCLUDE_CPDF_PARSER_H_ |