diff options
author | Lei Zhang <thestig@chromium.org> | 2018-05-24 20:10:22 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-05-24 20:10:22 +0000 |
commit | 97db69faaeb4f8481f9d8824bff644509949cb0d (patch) | |
tree | 40d036831b78a790f3c561cf8d789cf077ca0956 /core/fpdfapi/parser | |
parent | 5bf772bade615d8cb3388f677d85785fe0c01824 (diff) | |
download | pdfium-97db69faaeb4f8481f9d8824bff644509949cb0d.tar.xz |
CPDF_HintTables should not try to read 0 bits.
CFX_BitStream::GetBits() got refactored recently, with an assert to not
read 0 bits. A fuzzer then discovered code that is trying to do that.
BUG=chromium:846394
Change-Id: Ib18b47200c82aab369109b5911540db724172690
Reviewed-on: https://pdfium-review.googlesource.com/32934
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Diffstat (limited to 'core/fpdfapi/parser')
-rw-r--r-- | core/fpdfapi/parser/cpdf_hint_tables.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/core/fpdfapi/parser/cpdf_hint_tables.cpp b/core/fpdfapi/parser/cpdf_hint_tables.cpp index 123e6594c1..9cd72c7815 100644 --- a/core/fpdfapi/parser/cpdf_hint_tables.cpp +++ b/core/fpdfapi/parser/cpdf_hint_tables.cpp @@ -294,8 +294,8 @@ bool CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream, uint32_t dwDeltaGroupLen = hStream->GetBits(16); // Trying to decode more than 32 bits isn't going to work when we write into - // a uint32_t. - if (dwDeltaGroupLen > 31) + // a uint32_t. Decoding 0 bits also makes no sense. + if (!IsValidPageOffsetHintTableBitCount(dwDeltaGroupLen)) return false; if (dwFirstSharedObjNum >= CPDF_Parser::kMaxObjectNumber || |