summaryrefslogtreecommitdiff
path: root/core/fpdfapi/parser
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2018-05-24 20:10:22 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-05-24 20:10:22 +0000
commit97db69faaeb4f8481f9d8824bff644509949cb0d (patch)
tree40d036831b78a790f3c561cf8d789cf077ca0956 /core/fpdfapi/parser
parent5bf772bade615d8cb3388f677d85785fe0c01824 (diff)
downloadpdfium-97db69faaeb4f8481f9d8824bff644509949cb0d.tar.xz
CPDF_HintTables should not try to read 0 bits.
CFX_BitStream::GetBits() got refactored recently, with an assert to not read 0 bits. A fuzzer then discovered code that is trying to do that. BUG=chromium:846394 Change-Id: Ib18b47200c82aab369109b5911540db724172690 Reviewed-on: https://pdfium-review.googlesource.com/32934 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org>
Diffstat (limited to 'core/fpdfapi/parser')
-rw-r--r--core/fpdfapi/parser/cpdf_hint_tables.cpp4
1 files changed, 2 insertions, 2 deletions
diff --git a/core/fpdfapi/parser/cpdf_hint_tables.cpp b/core/fpdfapi/parser/cpdf_hint_tables.cpp
index 123e6594c1..9cd72c7815 100644
--- a/core/fpdfapi/parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/parser/cpdf_hint_tables.cpp
@@ -294,8 +294,8 @@ bool CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream,
uint32_t dwDeltaGroupLen = hStream->GetBits(16);
// Trying to decode more than 32 bits isn't going to work when we write into
- // a uint32_t.
- if (dwDeltaGroupLen > 31)
+ // a uint32_t. Decoding 0 bits also makes no sense.
+ if (!IsValidPageOffsetHintTableBitCount(dwDeltaGroupLen))
return false;
if (dwFirstSharedObjNum >= CPDF_Parser::kMaxObjectNumber ||