Off-by-one in CPDF_StreamParser::ParseNextElement()

Limit the token to 255 bytes + NUL.  Also, shuffle fields in
cpdf_streamparser to allow memory tools to better check this
inline array.

Bug: 828049
Change-Id: I444f2b4c6958167577d9cd76c06805baf7d5c26c
Reviewed-on: https://pdfium-review.googlesource.com/29530
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>

1 files changed, 5 insertions, 4 deletions

diff --git a/core/fpdfapi/page/cpdf_streamparser.h b/core/fpdfapi/page/cpdf_streamparser.h
index 158726b026..bdd07643ce 100644
--- a/core/fpdfapi/page/cpdf_streamparser.h
+++ b/core/fpdfapi/page/cpdf_streamparser.h
@@ -44,19 +44,20 @@ class CPDF_StreamParser {
 
  private:
   friend class cpdf_streamparser_ReadHexString_Test;
+  static const uint32_t kMaxWordLength = 255;
 
   void GetNextWord(bool& bIsNumber);
   ByteString ReadString();
   ByteString ReadHexString();
   bool PositionIsInBounds() const;
 
+  uint32_t m_Size;      // Length in bytes of m_pBuf.
+  uint32_t m_Pos;       // Current byte position within m_pBuf.
+  uint32_t m_WordSize;  // Current byte position within m_WordBuffer.
   const uint8_t* m_pBuf;
-  uint32_t m_Size;  // Length in bytes of m_pBuf.
-  uint32_t m_Pos;   // Current byte position within m_pBuf.
-  uint8_t m_WordBuffer[256];
-  uint32_t m_WordSize;
   std::unique_ptr<CPDF_Object> m_pLastObj;
   WeakPtr<ByteStringPool> m_pPool;
+  uint8_t m_WordBuffer[kMaxWordLength + 1];  // Include space for NUL.
 };
 
 #endif  // CORE_FPDFAPI_PAGE_CPDF_STREAMPARSER_H_