Fix crash and memory leak.

Do not return size within CPDF_StreamAcc in case when read
data failed.
Also free buffers in this case.

Bug: chromium:860210
Change-Id: Ifb2a061d7c8427409b68c33f213c5c55343fb946
Reviewed-on: https://pdfium-review.googlesource.com/37310
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Art Snake <art-snake@yandex-team.ru>

3 files changed, 45 insertions, 2 deletions

diff --git a/BUILD.gn b/BUILD.gn
index d30640f30c..222784f36e 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -2875,6 +2875,7 @@ test("pdfium_unittests") {
     "core/fpdfapi/parser/cpdf_parser_unittest.cpp",
     "core/fpdfapi/parser/cpdf_read_validator_unittest.cpp",
     "core/fpdfapi/parser/cpdf_simple_parser_unittest.cpp",
+    "core/fpdfapi/parser/cpdf_stream_acc_unittest.cpp",
     "core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp",
     "core/fpdfapi/parser/fpdf_parser_decode_unittest.cpp",
     "core/fpdfapi/parser/fpdf_parser_utility_unittest.cpp",
diff --git a/core/fpdfapi/parser/cpdf_stream_acc.cpp b/core/fpdfapi/parser/cpdf_stream_acc.cpp
index 1734b0ddcb..18d0b35107 100644
--- a/core/fpdfapi/parser/cpdf_stream_acc.cpp
+++ b/core/fpdfapi/parser/cpdf_stream_acc.cpp
@@ -38,8 +38,11 @@ void CPDF_StreamAcc::LoadAllData(bool bRawAccess,
     pSrcData = m_pStream->GetInMemoryRawData();
   } else {
     pSrcData = m_pSrcData = FX_Alloc(uint8_t, dwSrcSize);
-    if (!m_pStream->ReadRawData(0, pSrcData, dwSrcSize))
+    if (!m_pStream->ReadRawData(0, pSrcData, dwSrcSize)) {
+      FX_Free(pSrcData);
+      pSrcData = m_pSrcData = nullptr;
       return;
+    }
   }
   if (bProcessRawData) {
     m_pData = pSrcData;
@@ -77,7 +80,8 @@ uint8_t* CPDF_StreamAcc::GetData() const {
 uint32_t CPDF_StreamAcc::GetSize() const {
   if (m_bNewBuf)
     return m_dwSize;
-  return m_pStream ? m_pStream->GetRawSize() : 0;
+  return (m_pStream && m_pStream->IsMemoryBased()) ? m_pStream->GetRawSize()
+                                                   : 0;
 }
 
 std::unique_ptr<uint8_t, FxFreeDeleter> CPDF_StreamAcc::DetachData() {
diff --git a/core/fpdfapi/parser/cpdf_stream_acc_unittest.cpp b/core/fpdfapi/parser/cpdf_stream_acc_unittest.cpp
new file mode 100644
index 0000000000..dcebf0b3a7
--- /dev/null
+++ b/core/fpdfapi/parser/cpdf_stream_acc_unittest.cpp
@@ -0,0 +1,38 @@
+// Copyright 2018 PDFium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "core/fpdfapi/parser/cpdf_stream_acc.h"
+
+#include "core/fpdfapi/parser/cpdf_stream.h"
+
+#include "core/fxcrt/cfx_memorystream.h"
+#include "core/fxcrt/fx_stream.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace {
+
+class InvalidStream : public IFX_SeekableReadStream {
+ public:
+  InvalidStream() = default;
+  ~InvalidStream() override = default;
+
+  // IFX_SeekableReadStream overrides:
+  bool ReadBlock(void* buffer, FX_FILESIZE offset, size_t size) override {
+    // Read failure.
+    return false;
+  }
+
+  FX_FILESIZE GetSize() override { return 1024; }
+};
+
+}  // namespace
+
+TEST(CPDF_StreamAccTest, ReadRawDataFailed) {
+  CPDF_Stream stream;
+  stream.InitStreamFromFile(pdfium::MakeRetain<InvalidStream>(), nullptr);
+  auto stream_acc = pdfium::MakeRetain<CPDF_StreamAcc>(&stream);
+  stream_acc->LoadAllDataRaw();
+  EXPECT_EQ(0u, stream_acc->GetSize());
+  EXPECT_FALSE(stream_acc->GetData());
+}