Fix hint tables parsing.

Sample PDF:
https://yadi.sk/d/oWLtAEfy3YbEb3

For offsets, equal to the hint stream offset, added hint stream
length to determine the actual offset, because linearization
inserted the hint stream at the original location of the object.

Also the number of bits needed to represent the numerator of
the fractional position for each shared object reference may be
zero, if each shared group contains only one object with obj num,
incremented on 1.

Change-Id: I4754d603f388354821e8d0cac97ad99a7578fe4b
Reviewed-on: https://pdfium-review.googlesource.com/36610
Commit-Queue: Art Snake <art-snake@yandex-team.ru>
Reviewed-by: Lei Zhang <thestig@chromium.org>

1 files changed, 15 insertions, 9 deletions

diff --git a/core/fpdfapi/parser/cpdf_hint_tables.cpp b/core/fpdfapi/parser/cpdf_hint_tables.cpp
index 71a6d3688e..04e673bc97 100644
--- a/core/fpdfapi/parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/parser/cpdf_hint_tables.cpp
@@ -117,7 +117,7 @@ bool CPDF_HintTables::ReadPageHintTable(CFX_BitStream* hStream) {
   // shared object referenced from a page, there is an indication of
   // where in the page's content stream the object is first referenced.
   const uint32_t dwSharedNumeratorBits = hStream->GetBits(16);
-  if (!IsValidPageOffsetHintTableBitCount(dwSharedNumeratorBits))
+  if (dwSharedNumeratorBits > 32)
     return false;
 
   // Item 13: Skip Item 13 which has 16 bits.
@@ -193,15 +193,17 @@ bool CPDF_HintTables::ReadPageHintTable(CFX_BitStream* hStream) {
   }
   hStream->ByteAlign();
 
-  for (uint32_t i = 0; i < nPages; i++) {
-    FX_SAFE_UINT32 safeSize = dwNSharedObjsArray[i];
-    safeSize *= dwSharedNumeratorBits;
-    if (!CanReadFromBitStream(hStream, safeSize))
-      return false;
+  if (dwSharedNumeratorBits) {
+    for (uint32_t i = 0; i < nPages; i++) {
+      FX_SAFE_UINT32 safeSize = dwNSharedObjsArray[i];
+      safeSize *= dwSharedNumeratorBits;
+      if (!CanReadFromBitStream(hStream, safeSize))
+        return false;
 
-    hStream->SkipBits(safeSize.ValueOrDie());
+      hStream->SkipBits(safeSize.ValueOrDie());
+    }
+    hStream->ByteAlign();
   }
-  hStream->ByteAlign();
 
   FX_SAFE_UINT32 safeTotalPageLen = nPages;
   safeTotalPageLen *= dwDeltaPageLenBits;
@@ -403,7 +405,11 @@ FX_FILESIZE CPDF_HintTables::HintsOffsetToFileOffset(
   // offset shall have the hint stream length added to it to determine the
   // actual offset relative to the beginning of the file.
   // See specification PDF 32000-1:2008 Annex F.4 (Hint tables).
-  if (file_offset.ValueOrDie() > m_pLinearized->GetHintStart())
+  // Note: The PDF spec does not mention this, but positions equal to the hint
+  // stream offset also need to have the hint stream length added to it. e.g.
+  // There exists linearized PDFs generated by Adobe software that have this
+  // property.
+  if (file_offset.ValueOrDie() >= m_pLinearized->GetHintStart())
     file_offset += m_pLinearized->GetHintLength();
 
   return file_offset.ValueOrDefault(0);