summaryrefslogtreecommitdiff
path: root/core/fpdfapi/parser
diff options
context:
space:
mode:
authorDan Sinclair <dsinclair@chromium.org>2017-05-08 14:16:51 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-05-08 18:38:02 +0000
commit486f141ed1fa5b92f59d403c4b549ede2ea1a2c8 (patch)
treee91cc72d308c7e3ffa5e40403157de54568b5d23 /core/fpdfapi/parser
parent1ef04c9bc0c19dd815f64ec48e7eef106cf88b49 (diff)
downloadpdfium-486f141ed1fa5b92f59d403c4b549ede2ea1a2c8.tar.xz
Check bits to decode will fit before decoding
When decoding the CPDF_HintTable we read the dwDeltaGroupLen value out of the input stream which is a 16bit number. That value is then passed in to read a uint32_t of the object number. If we have a group length of > 32 bits we'll cause an undefined shift when we attempt to shift right more then 32 bits. This Cl bails out early if the dwDeltaGroupLen value is > 32 in order to stop the undefined shifts. Bug: chromium:718505 Change-Id: I919d6f4cd19826094a5e44d3a65d758029f5c236 Reviewed-on: https://pdfium-review.googlesource.com/5090 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'core/fpdfapi/parser')
-rw-r--r--core/fpdfapi/parser/cpdf_hint_tables.cpp5
1 files changed, 5 insertions, 0 deletions
diff --git a/core/fpdfapi/parser/cpdf_hint_tables.cpp b/core/fpdfapi/parser/cpdf_hint_tables.cpp
index 24abf5dd13..6a84143f9e 100644
--- a/core/fpdfapi/parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/parser/cpdf_hint_tables.cpp
@@ -290,6 +290,11 @@ bool CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream,
// greatest and least length of a shared object group, in bytes.
uint32_t dwDeltaGroupLen = hStream->GetBits(16);
+ // Trying to decode more than 32 bits isn't going to work when we write into
+ // a uint32_t.
+ if (dwDeltaGroupLen > 31)
+ return false;
+
if (dwFirstSharedObjNum >= CPDF_Parser::kMaxObjectNumber ||
m_nFirstPageSharedObjs >= CPDF_Parser::kMaxObjectNumber ||
dwSharedObjTotal >= CPDF_Parser::kMaxObjectNumber) {