SetPos to at most the file length to avoid overflows

This CL prevents arbitrary position setting which may cause integer overflows.
In the bug in question, the PDF says the xrefs are located in a huge position.
This then causes problems when calling CPDF_SyntaxParser methods.

Bug: chromium:603545
Change-Id: I5f94c38f46a0217e9f12f1bf8b2f3bee3b03cb35
Reviewed-on: https://pdfium-review.googlesource.com/4813
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

1 files changed, 3 insertions, 2 deletions

diff --git a/core/fpdfapi/parser/cpdf_syntax_parser.h b/core/fpdfapi/parser/cpdf_syntax_parser.h
index 9c2d84070d..f9a9bd9a8a 100644
--- a/core/fpdfapi/parser/cpdf_syntax_parser.h
+++ b/core/fpdfapi/parser/cpdf_syntax_parser.h
@@ -7,6 +7,7 @@
 #ifndef CORE_FPDFAPI_PARSER_CPDF_SYNTAX_PARSER_H_
 #define CORE_FPDFAPI_PARSER_CPDF_SYNTAX_PARSER_H_
 
+#include <algorithm>
 #include <memory>
 
 #include "core/fxcrt/cfx_string_pool_template.h"
@@ -29,8 +30,8 @@ class CPDF_SyntaxParser {
   void InitParser(const CFX_RetainPtr<IFX_SeekableReadStream>& pFileAccess,
                   uint32_t HeaderOffset);
 
-  FX_FILESIZE SavePos() const { return m_Pos; }
-  void RestorePos(FX_FILESIZE pos) { m_Pos = pos; }
+  FX_FILESIZE GetPos() const { return m_Pos; }
+  void SetPos(FX_FILESIZE pos) { m_Pos = std::min(pos, m_FileLen); }
 
   std::unique_ptr<CPDF_Object> GetObject(CPDF_IndirectObjectHolder* pObjList,
                                          uint32_t objnum,