summaryrefslogtreecommitdiff
path: root/core/fpdfapi
diff options
context:
space:
mode:
authornpm <npm@chromium.org>2017-01-09 07:52:30 -0800
committerCommit bot <commit-bot@chromium.org>2017-01-09 07:52:30 -0800
commit661008dde7356ee2ed69787125863539b73b041c (patch)
treedcf7541b8fa233078919bd81c3e257f91c25351a /core/fpdfapi
parent5f92eab76505fc6be2e5373390591a55be489b21 (diff)
downloadpdfium-661008dde7356ee2ed69787125863539b73b041c.tar.xz
Do not parse references with invalid objnum
We should not have valid objects where the object number is CPDF_Object::kInvalidObjNum. BUG=pdfium:609 Review-Url: https://codereview.chromium.org/2610393004
Diffstat (limited to 'core/fpdfapi')
-rw-r--r--core/fpdfapi/parser/cpdf_reference.cpp2
-rw-r--r--core/fpdfapi/parser/cpdf_reference.h2
-rw-r--r--core/fpdfapi/parser/cpdf_syntax_parser.cpp12
-rw-r--r--core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp11
4 files changed, 21 insertions, 6 deletions
diff --git a/core/fpdfapi/parser/cpdf_reference.cpp b/core/fpdfapi/parser/cpdf_reference.cpp
index 8f44aa0200..67b67c24dd 100644
--- a/core/fpdfapi/parser/cpdf_reference.cpp
+++ b/core/fpdfapi/parser/cpdf_reference.cpp
@@ -10,7 +10,7 @@
#include "third_party/base/ptr_util.h"
#include "third_party/base/stl_util.h"
-CPDF_Reference::CPDF_Reference(CPDF_IndirectObjectHolder* pDoc, int objnum)
+CPDF_Reference::CPDF_Reference(CPDF_IndirectObjectHolder* pDoc, uint32_t objnum)
: m_pObjList(pDoc), m_RefObjNum(objnum) {}
CPDF_Reference::~CPDF_Reference() {}
diff --git a/core/fpdfapi/parser/cpdf_reference.h b/core/fpdfapi/parser/cpdf_reference.h
index 5597142b95..be7f18478e 100644
--- a/core/fpdfapi/parser/cpdf_reference.h
+++ b/core/fpdfapi/parser/cpdf_reference.h
@@ -16,7 +16,7 @@ class CPDF_IndirectObjectHolder;
class CPDF_Reference : public CPDF_Object {
public:
- CPDF_Reference(CPDF_IndirectObjectHolder* pDoc, int objnum);
+ CPDF_Reference(CPDF_IndirectObjectHolder* pDoc, uint32_t objnum);
~CPDF_Reference() override;
// CPDF_Object:
diff --git a/core/fpdfapi/parser/cpdf_syntax_parser.cpp b/core/fpdfapi/parser/cpdf_syntax_parser.cpp
index 48d77c2cbd..1b81b98c96 100644
--- a/core/fpdfapi/parser/cpdf_syntax_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_syntax_parser.cpp
@@ -386,8 +386,10 @@ std::unique_ptr<CPDF_Object> CPDF_SyntaxParser::GetObject(
if (bIsNumber) {
CFX_ByteString nextword2 = GetNextWord(nullptr);
if (nextword2 == "R") {
- return pdfium::MakeUnique<CPDF_Reference>(pObjList,
- FXSYS_atoui(word.c_str()));
+ uint32_t objnum = FXSYS_atoui(word.c_str());
+ if (objnum == CPDF_Object::kInvalidObjNum)
+ return nullptr;
+ return pdfium::MakeUnique<CPDF_Reference>(pObjList, objnum);
}
}
m_Pos = SavedPos;
@@ -505,8 +507,10 @@ std::unique_ptr<CPDF_Object> CPDF_SyntaxParser::GetObjectForStrict(
if (bIsNumber) {
CFX_ByteString nextword2 = GetNextWord(nullptr);
if (nextword2 == "R") {
- return pdfium::MakeUnique<CPDF_Reference>(pObjList,
- FXSYS_atoui(word.c_str()));
+ uint32_t objnum = FXSYS_atoui(word.c_str());
+ if (objnum == CPDF_Object::kInvalidObjNum)
+ return nullptr;
+ return pdfium::MakeUnique<CPDF_Reference>(pObjList, objnum);
}
}
m_Pos = SavedPos;
diff --git a/core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp b/core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp
index faaa83dd19..64c33ba9cd 100644
--- a/core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp
+++ b/core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp
@@ -5,6 +5,7 @@
#include <limits>
#include <string>
+#include "core/fpdfapi/parser/cpdf_object.h"
#include "core/fpdfapi/parser/cpdf_parser.h"
#include "core/fpdfapi/parser/cpdf_syntax_parser.h"
#include "core/fxcrt/fx_ext.h"
@@ -143,3 +144,13 @@ TEST(cpdf_syntax_parser, ReadHexString) {
EXPECT_EQ(1, parser.SavePos());
}
}
+
+TEST(cpdf_syntax_parser, GetInvalidReference) {
+ CPDF_SyntaxParser parser;
+ // Data with a reference with number CPDF_Object::kInvalidObjNum
+ uint8_t data[] = "4294967295 0 R";
+ parser.InitParser(IFX_MemoryStream::Create(data, 14, false), 0);
+ std::unique_ptr<CPDF_Object> ref =
+ parser.GetObject(nullptr, CPDF_Object::kInvalidObjNum, 0, false);
+ EXPECT_FALSE(ref);
+}