summaryrefslogtreecommitdiff
path: root/core/fpdfapi/parser
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2017-08-31 11:00:54 -0700
committerChromium commit bot <commit-bot@chromium.org>2017-08-31 18:22:58 +0000
commit671f0d4949d412f26fba6c675cfb54b1fc170be0 (patch)
treef6ba8024f26592eb1e7e056a87630c433421f2a6 /core/fpdfapi/parser
parent276dd94b300f1a5eb537fceb5bcfd311d75bd2e6 (diff)
downloadpdfium-671f0d4949d412f26fba6c675cfb54b1fc170be0.tar.xz
Prevent FPDFAvail_IsDocAvail() from infinite looping.
BUG=pdfium:875 Change-Id: I3cc29990f0a3398ae903bc14417ec695cca30c6c Reviewed-on: https://pdfium-review.googlesource.com/12391 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Art Snake <art-snake@yandex-team.ru> Reviewed-by: Wei Li <weili@chromium.org>
Diffstat (limited to 'core/fpdfapi/parser')
-rw-r--r--core/fpdfapi/parser/cpdf_data_avail.cpp3
-rw-r--r--core/fpdfapi/parser/cpdf_data_avail.h1
2 files changed, 3 insertions, 1 deletions
diff --git a/core/fpdfapi/parser/cpdf_data_avail.cpp b/core/fpdfapi/parser/cpdf_data_avail.cpp
index 76190fa9a9..b7ea238507 100644
--- a/core/fpdfapi/parser/cpdf_data_avail.cpp
+++ b/core/fpdfapi/parser/cpdf_data_avail.cpp
@@ -943,8 +943,9 @@ bool CPDF_DataAvail::CheckTrailer() {
return true;
}
+ // Prevent infinite-looping between Prev entries.
uint32_t xrefpos = GetDirectInteger(pTrailerDict, "Prev");
- if (!xrefpos) {
+ if (!xrefpos || !m_SeenPrevPositions.insert(xrefpos).second) {
m_dwPrevXRefOffset = 0;
m_docStatus = PDF_DATAAVAIL_LOADALLCROSSREF;
return true;
diff --git a/core/fpdfapi/parser/cpdf_data_avail.h b/core/fpdfapi/parser/cpdf_data_avail.h
index 1fcdaf034e..e2a4a20aa1 100644
--- a/core/fpdfapi/parser/cpdf_data_avail.h
+++ b/core/fpdfapi/parser/cpdf_data_avail.h
@@ -230,6 +230,7 @@ class CPDF_DataAvail final {
PageNode m_PageNode;
std::set<uint32_t> m_pageMapCheckState;
std::set<uint32_t> m_pagesLoadState;
+ std::set<uint32_t> m_SeenPrevPositions;
std::unique_ptr<CPDF_HintTables> m_pHintTables;
bool m_bSupportHintTable;
};