Fix infinite loops in CPDF_MeshStream.

BUG=chromium:690501

Change-Id: I74b09d90a8082554a67f737eb6adc3bff82ed93e
Reviewed-on: https://pdfium-review.googlesource.com/2889
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>

1 files changed, 6 insertions, 1 deletions

diff --git a/core/fpdfapi/page/cpdf_streamcontentparser.cpp b/core/fpdfapi/page/cpdf_streamcontentparser.cpp
index d8e1c1e15d..6211b6a4dd 100644
--- a/core/fpdfapi/page/cpdf_streamcontentparser.cpp
+++ b/core/fpdfapi/page/cpdf_streamcontentparser.cpp
@@ -98,8 +98,11 @@ CFX_FloatRect GetShadingBBox(CPDF_ShadingPattern* pShading,
 
   while (!stream.BitStream()->IsEOF()) {
     uint32_t flag = 0;
-    if (type != kLatticeFormGouraudTriangleMeshShading)
+    if (type != kLatticeFormGouraudTriangleMeshShading) {
+      if (!stream.CanReadFlag())
+        break;
       flag = stream.ReadFlag();
+    }
 
     if (!bGouraud && flag) {
       point_count -= 4;
@@ -107,6 +110,8 @@ CFX_FloatRect GetShadingBBox(CPDF_ShadingPattern* pShading,
     }
 
     for (int i = 0; i < point_count; i++) {
+      if (!stream.CanReadCoords())
+        break;
       CFX_PointF origin = stream.ReadCoords();
       if (bStarted) {
         rect.UpdateRect(origin.x, origin.y);