Add some limit checks to ReadSharedObjHintTable().

BUG=641444 Review-Url: https://codereview.chromium.org/2283893003
author: thestig <thestig@chromium.org> 2016-08-29 10:05:27 -0700
committer: Commit bot <commit-bot@chromium.org> 2016-08-29 10:05:27 -0700
commit: a032f7f79c67ddef4db0f44fca8f0d245bfb8e82 (patch)
tree: bed23df7989999479ea99b94fa21b7a581b75134 /core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
parent: 81ee14da357bb8bb141930d96e07a46f6d472720 (diff)
download: pdfium-a032f7f79c67ddef4db0f44fca8f0d245bfb8e82.tar.xz
1 files changed, 6 insertions, 0 deletions
diff --git a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
index 4363d3924c..fd8765a2d2 100644
--- a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
@@ -278,6 +278,12 @@ bool CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream,
   // greatest and least length of a shared object group, in bytes.
   uint32_t dwDeltaGroupLen = hStream->GetBits(16);
 
+  if (dwFirstSharedObjNum >= CPDF_Parser::kMaxObjectNumber ||
+      m_nFirstPageSharedObjs >= CPDF_Parser::kMaxObjectNumber ||
+      dwSharedObjTotal >= CPDF_Parser::kMaxObjectNumber) {
+    return false;
+  }
+
   int nFirstPageObjNum = GetFirstPageObjectNumber();
   if (nFirstPageObjNum < 0)
     return false;
author	thestig <thestig@chromium.org>	2016-08-29 10:05:27 -0700
committer	Commit bot <commit-bot@chromium.org>	2016-08-29 10:05:27 -0700
commit	a032f7f79c67ddef4db0f44fca8f0d245bfb8e82 (patch)
tree	bed23df7989999479ea99b94fa21b7a581b75134 /core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
parent	81ee14da357bb8bb141930d96e07a46f6d472720 (diff)
download	pdfium-a032f7f79c67ddef4db0f44fca8f0d245bfb8e82.tar.xz