diff options
| author | Lei Zhang <thestig@chromium.org> | 2018-04-05 17:54:26 +0000 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2018-04-05 17:54:26 +0000 |
| commit | 10f9fb3f10bc47b3317fe1c8b55711015fb7de87 (patch) | |
| tree | 6c0eb743dcb4811a65e53a045db52c7ffc090cc5 | |
| parent | 0a3083377ab87c841cec180932b57a416f6475d2 (diff) | |
| download | pdfium-10f9fb3f10bc47b3317fe1c8b55711015fb7de87.tar.xz | |
Ignore bad data in the shared object hint table.
Currently this is being treated as a case of "data not available" which
leads to an infinite loop.
BUG=pdfium:1055
Change-Id: I2722a5b364d56a4ad5b7cca2a4b42e6b13a933f4
Reviewed-on: https://pdfium-review.googlesource.com/29831
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
| -rw-r--r-- | core/fpdfapi/parser/cpdf_hint_tables.cpp | 5 | ||||
| -rw-r--r-- | fpdfsdk/fpdf_view_embeddertest.cpp | 9 | ||||
| -rw-r--r-- | testing/resources/linearized_bug_1055.pdf | bin | 0 -> 11390 bytes |
3 files changed, 12 insertions, 2 deletions
diff --git a/core/fpdfapi/parser/cpdf_hint_tables.cpp b/core/fpdfapi/parser/cpdf_hint_tables.cpp index c9123d4b97..381b160233 100644 --- a/core/fpdfapi/parser/cpdf_hint_tables.cpp +++ b/core/fpdfapi/parser/cpdf_hint_tables.cpp @@ -418,8 +418,9 @@ CPDF_DataAvail::DocAvailStatus CPDF_HintTables::CheckPage(uint32_t index) { return CPDF_DataAvail::DataError; if (!m_pValidator->CheckDataRangeAndRequestIfUnavailable( - m_szPageOffsetArray[index], dwLength)) + m_szPageOffsetArray[index], dwLength)) { return CPDF_DataAvail::DataNotAvailable; + } // Download data of shared objects in the page. uint32_t offset = 0; @@ -435,7 +436,7 @@ CPDF_DataAvail::DocAvailStatus CPDF_HintTables::CheckPage(uint32_t index) { for (uint32_t j = 0; j < m_dwNSharedObjsArray[index]; ++j) { dwIndex = m_dwIdentifierArray[offset + j]; if (dwIndex >= m_dwSharedObjNumArray.size()) - return CPDF_DataAvail::DataNotAvailable; + continue; dwObjNum = m_dwSharedObjNumArray[dwIndex]; if (dwObjNum >= static_cast<uint32_t>(nFirstPageObjNum) && diff --git a/fpdfsdk/fpdf_view_embeddertest.cpp b/fpdfsdk/fpdf_view_embeddertest.cpp index 0bfa1a30b2..8d2cd3af1b 100644 --- a/fpdfsdk/fpdf_view_embeddertest.cpp +++ b/fpdfsdk/fpdf_view_embeddertest.cpp @@ -390,6 +390,15 @@ TEST_F(FPDFViewEmbeddertest, Hang_360) { EXPECT_FALSE(OpenDocument("bug_360.pdf")); } +// Deliberately damaged version of linearized.pdf with bad data in the shared +// object hint table. +TEST_F(FPDFViewEmbeddertest, Hang_1055) { + EXPECT_TRUE(OpenDocumentLinearized("linearized_bug_1055.pdf")); + int version; + EXPECT_TRUE(FPDF_GetFileVersion(document(), &version)); + EXPECT_EQ(16, version); +} + void FPDFViewEmbeddertest::TestRenderPageBitmapWithMatrix( FPDF_PAGE page, const int bitmap_width, diff --git a/testing/resources/linearized_bug_1055.pdf b/testing/resources/linearized_bug_1055.pdf Binary files differnew file mode 100644 index 0000000000..2f0f493b42 --- /dev/null +++ b/testing/resources/linearized_bug_1055.pdf |