summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2017-06-30 18:06:36 -0700
committerChromium commit bot <commit-bot@chromium.org>2017-07-01 01:19:54 +0000
commit46e8ecf84c0227298c5aca8ea587bd6b2bce4c87 (patch)
tree7d97475c43d850fe81c9e0d88747e3ada503fceb
parent60d92de2dcab52523829de81c5cd1e50b3f8414f (diff)
downloadpdfium-46e8ecf84c0227298c5aca8ea587bd6b2bce4c87.tar.xz
M60: Fix a buffer overflow in FPDFPage_Flatten().chromium/3112
BUG=chromium:732661 TBR=dsinclair@chromium.org Change-Id: Ie11a7d97db97ac969fb6230956efbf21c2ed3d87 Reviewed-on: https://pdfium-review.googlesource.com/6555 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org> (cherry picked from commit f0f2a2a528e154b8ceeded297abc3a64007850f8) Reviewed-on: https://pdfium-review.googlesource.com/7231 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org>
-rw-r--r--fpdfsdk/fpdf_flatten.cpp15
1 files changed, 9 insertions, 6 deletions
diff --git a/fpdfsdk/fpdf_flatten.cpp b/fpdfsdk/fpdf_flatten.cpp
index 0477d6fea5..914008c1a3 100644
--- a/fpdfsdk/fpdf_flatten.cpp
+++ b/fpdfsdk/fpdf_flatten.cpp
@@ -305,15 +305,18 @@ DLLEXPORT int STDCALL FPDFPage_Flatten(FPDF_PAGE page, int nFlag) {
if (!pPageXObject)
pPageXObject = pRes->SetNewFor<CPDF_Dictionary>("XObject");
- CFX_ByteString key = "";
+ CFX_ByteString key;
int nStreams = pdfium::CollectionSize<int>(ObjectArray);
if (nStreams > 0) {
- for (int iKey = 0; /*iKey < 100*/; iKey++) {
- char sExtend[5] = {};
- FXSYS_itoa(iKey, sExtend, 10);
- key = CFX_ByteString("FFT") + CFX_ByteString(sExtend);
- if (!pPageXObject->KeyExist(key))
+ CFX_ByteString sKey;
+ int i = 0;
+ while (i < INT_MAX) {
+ sKey.Format("FFT%d", i);
+ if (!pPageXObject->KeyExist(sKey)) {
+ key = sKey;
break;
+ }
+ ++i;
}
}