diff options
author | Dan Sinclair <dsinclair@chromium.org> | 2017-03-27 10:54:07 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-03-27 16:08:22 +0000 |
commit | 43c195016f9c2e38654a484f9472c138b92d3ec3 (patch) | |
tree | b90cb78aafc09fabf5d033f0c4e2d4ffa9bda37f /core/fpdfapi/parser | |
parent | af8381f3a64906bc61c961633890a39cec10f5d9 (diff) | |
download | pdfium-43c195016f9c2e38654a484f9472c138b92d3ec3.tar.xz |
Guard against lengths greater then input size
If we get a requested length that is longer then the available buffer
size we bail as we won't be able to read the needed data anyway.
Bug: chromium:672177
Change-Id: Idb41671c07fe758ec0c1d4d6f84ead0a58fa8339
Reviewed-on: https://pdfium-review.googlesource.com/3221
Reviewed-by: Nicolás Peña <npm@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'core/fpdfapi/parser')
-rw-r--r-- | core/fpdfapi/parser/cpdf_syntax_parser.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/core/fpdfapi/parser/cpdf_syntax_parser.cpp b/core/fpdfapi/parser/cpdf_syntax_parser.cpp index 2a0bf360fc..54fb89a48b 100644 --- a/core/fpdfapi/parser/cpdf_syntax_parser.cpp +++ b/core/fpdfapi/parser/cpdf_syntax_parser.cpp @@ -727,6 +727,10 @@ std::unique_ptr<CPDF_Stream> CPDF_SyntaxParser::ReadStream( if (len < 0) return nullptr; + // If the length is longer then the remaining buffer giveup. + if (len > m_pFileAccess->GetSize() - m_pFileAccess->GetPosition()) + return nullptr; + std::unique_ptr<uint8_t, FxFreeDeleter> pData; if (len > 0) { pData.reset(FX_Alloc(uint8_t, len)); |