summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2018-07-18 05:07:28 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-07-18 05:07:28 +0000
commit30688fb1c434b141380aa224da12e8246a8a78e1 (patch)
treecb563a2c26204c74b003bc8e126faa5d6323f7c6
parentbeb56d69a7a57317d521bab927a651fb260f5404 (diff)
downloadpdfium-30688fb1c434b141380aa224da12e8246a8a78e1.tar.xz
Do not add invalid objects to the cross reference table.chromium/3496
BUG=chromium:851994 Change-Id: I2e14401271c70afa204221e0f3d469f0b82ce8cf Reviewed-on: https://pdfium-review.googlesource.com/37871 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Art Snake <art-snake@yandex-team.ru>
-rw-r--r--core/fpdfapi/parser/cpdf_cross_ref_table.cpp17
-rw-r--r--core/fpdfapi/parser/cpdf_parser.cpp3
2 files changed, 19 insertions, 1 deletions
diff --git a/core/fpdfapi/parser/cpdf_cross_ref_table.cpp b/core/fpdfapi/parser/cpdf_cross_ref_table.cpp
index 4be91745d8..77c0e8136c 100644
--- a/core/fpdfapi/parser/cpdf_cross_ref_table.cpp
+++ b/core/fpdfapi/parser/cpdf_cross_ref_table.cpp
@@ -7,6 +7,7 @@
#include <utility>
#include "core/fpdfapi/parser/cpdf_dictionary.h"
+#include "core/fpdfapi/parser/cpdf_parser.h"
// static
std::unique_ptr<CPDF_CrossRefTable> CPDF_CrossRefTable::MergeUp(
@@ -31,6 +32,12 @@ CPDF_CrossRefTable::~CPDF_CrossRefTable() = default;
void CPDF_CrossRefTable::AddCompressed(uint32_t obj_num,
uint32_t archive_obj_num) {
+ if (obj_num >= CPDF_Parser::kMaxObjectNumber ||
+ archive_obj_num >= CPDF_Parser::kMaxObjectNumber) {
+ NOTREACHED();
+ return;
+ }
+
auto& info = objects_info_[obj_num];
if (info.gennum > 0)
return;
@@ -48,6 +55,11 @@ void CPDF_CrossRefTable::AddCompressed(uint32_t obj_num,
void CPDF_CrossRefTable::AddNormal(uint32_t obj_num,
uint16_t gen_num,
FX_FILESIZE pos) {
+ if (obj_num >= CPDF_Parser::kMaxObjectNumber) {
+ NOTREACHED();
+ return;
+ }
+
auto& info = objects_info_[obj_num];
if (info.gennum > gen_num)
return;
@@ -63,6 +75,11 @@ void CPDF_CrossRefTable::AddNormal(uint32_t obj_num,
}
void CPDF_CrossRefTable::SetFree(uint32_t obj_num) {
+ if (obj_num >= CPDF_Parser::kMaxObjectNumber) {
+ NOTREACHED();
+ return;
+ }
+
auto& info = objects_info_[obj_num];
info.type = ObjectType::kFree;
info.gennum = 0xFFFF;
diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp
index 54e05245a9..ecc0546de0 100644
--- a/core/fpdfapi/parser/cpdf_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_parser.cpp
@@ -777,7 +777,8 @@ bool CPDF_Parser::RebuildCrossRef() {
}
}
}
- cross_ref_table->AddNormal(objnum, gennum, obj_pos);
+ if (objnum < kMaxObjectNumber)
+ cross_ref_table->AddNormal(objnum, gennum, obj_pos);
}
state = ParserState::kDefault;
break;