diff options
| author | thestig <thestig@chromium.org> | 2016-09-01 11:47:17 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-09-01 11:47:17 -0700 |
| commit | 8d3ca14840a027c3dd1e2c943795d057dbb91454 (patch) | |
| tree | cb9779d9116bae96be900ef34e7aea522017dda4 | |
| parent | 5e2d5c7ca2d084b2151b3c2e82eea18c189bef0a (diff) | |
| download | pdfium-8d3ca14840a027c3dd1e2c943795d057dbb91454.tar.xz | |
Handle another integer overflow in ReadPageHintTable().
Return false instead of crashing.
BUG=641882
Review-Url: https://codereview.chromium.org/2300903002
| -rw-r--r-- | core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp index 3b0d2afbe0..445f3bf433 100644 --- a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp +++ b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp @@ -6,6 +6,8 @@ #include "core/fpdfapi/fpdf_parser/cpdf_hint_tables.h" +#include <limits> + #include "core/fpdfapi/fpdf_parser/include/cpdf_array.h" #include "core/fpdfapi/fpdf_parser/include/cpdf_data_avail.h" #include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h" @@ -57,9 +59,14 @@ bool CPDF_HintTables::ReadPageHintTable(CFX_BitStream* hStream) { return false; int nStreamOffset = ReadPrimaryHintStreamOffset(); + if (nStreamOffset < 0) + return false; + int nStreamLen = ReadPrimaryHintStreamLength(); - if (nStreamOffset < 0 || nStreamLen < 1) + if (nStreamLen < 1 || + !pdfium::base::IsValueInRangeForNumericType<FX_FILESIZE>(nStreamLen)) { return false; + } const uint32_t kHeaderSize = 288; if (hStream->BitsRemaining() < kHeaderSize) @@ -68,20 +75,20 @@ bool CPDF_HintTables::ReadPageHintTable(CFX_BitStream* hStream) { // Item 1: The least number of objects in a page. const uint32_t dwObjLeastNum = hStream->GetBits(32); if (!dwObjLeastNum) - return FALSE; + return false; // Item 2: The location of the first page's page object. const uint32_t dwFirstObjLoc = hStream->GetBits(32); if (dwFirstObjLoc > static_cast<uint32_t>(nStreamOffset)) { - FX_SAFE_UINT32 safeLoc = pdfium::base::checked_cast<uint32_t>(nStreamLen); + FX_SAFE_FILESIZE safeLoc = nStreamLen; safeLoc += dwFirstObjLoc; if (!safeLoc.IsValid()) return false; - m_szFirstPageObjOffset = - pdfium::base::checked_cast<FX_FILESIZE>(safeLoc.ValueOrDie()); + m_szFirstPageObjOffset = safeLoc.ValueOrDie(); } else { - m_szFirstPageObjOffset = - pdfium::base::checked_cast<FX_FILESIZE>(dwFirstObjLoc); + if (!pdfium::base::IsValueInRangeForNumericType<FX_FILESIZE>(dwFirstObjLoc)) + return false; + m_szFirstPageObjOffset = dwFirstObjLoc; } // Item 3: The number of bits needed to represent the difference |