summaryrefslogtreecommitdiff
path: root/core/fpdfapi/parser
diff options
context:
space:
mode:
authorDan Sinclair <dsinclair@chromium.org>2017-03-27 10:54:07 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-03-27 16:08:22 +0000
commit43c195016f9c2e38654a484f9472c138b92d3ec3 (patch)
treeb90cb78aafc09fabf5d033f0c4e2d4ffa9bda37f /core/fpdfapi/parser
parentaf8381f3a64906bc61c961633890a39cec10f5d9 (diff)
downloadpdfium-43c195016f9c2e38654a484f9472c138b92d3ec3.tar.xz
Guard against lengths greater then input size
If we get a requested length that is longer then the available buffer size we bail as we won't be able to read the needed data anyway. Bug: chromium:672177 Change-Id: Idb41671c07fe758ec0c1d4d6f84ead0a58fa8339 Reviewed-on: https://pdfium-review.googlesource.com/3221 Reviewed-by: Nicolás Peña <npm@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
Diffstat (limited to 'core/fpdfapi/parser')
-rw-r--r--core/fpdfapi/parser/cpdf_syntax_parser.cpp4
1 files changed, 4 insertions, 0 deletions
diff --git a/core/fpdfapi/parser/cpdf_syntax_parser.cpp b/core/fpdfapi/parser/cpdf_syntax_parser.cpp
index 2a0bf360fc..54fb89a48b 100644
--- a/core/fpdfapi/parser/cpdf_syntax_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_syntax_parser.cpp
@@ -727,6 +727,10 @@ std::unique_ptr<CPDF_Stream> CPDF_SyntaxParser::ReadStream(
if (len < 0)
return nullptr;
+ // If the length is longer then the remaining buffer giveup.
+ if (len > m_pFileAccess->GetSize() - m_pFileAccess->GetPosition())
+ return nullptr;
+
std::unique_ptr<uint8_t, FxFreeDeleter> pData;
if (len > 0) {
pData.reset(FX_Alloc(uint8_t, len));