diff options
author | thestig <thestig@chromium.org> | 2016-08-29 10:05:27 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2016-08-29 10:05:27 -0700 |
commit | a032f7f79c67ddef4db0f44fca8f0d245bfb8e82 (patch) | |
tree | bed23df7989999479ea99b94fa21b7a581b75134 /core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp | |
parent | 81ee14da357bb8bb141930d96e07a46f6d472720 (diff) | |
download | pdfium-a032f7f79c67ddef4db0f44fca8f0d245bfb8e82.tar.xz |
Add some limit checks to ReadSharedObjHintTable().
BUG=641444
Review-Url: https://codereview.chromium.org/2283893003
Diffstat (limited to 'core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp')
-rw-r--r-- | core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp index 4363d3924c..fd8765a2d2 100644 --- a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp +++ b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp @@ -278,6 +278,12 @@ bool CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream, // greatest and least length of a shared object group, in bytes. uint32_t dwDeltaGroupLen = hStream->GetBits(16); + if (dwFirstSharedObjNum >= CPDF_Parser::kMaxObjectNumber || + m_nFirstPageSharedObjs >= CPDF_Parser::kMaxObjectNumber || + dwSharedObjTotal >= CPDF_Parser::kMaxObjectNumber) { + return false; + } + int nFirstPageObjNum = GetFirstPageObjectNumber(); if (nFirstPageObjNum < 0) return false; |