summaryrefslogtreecommitdiff
path: root/core/fpdfapi
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2017-11-13 18:35:23 +0000
committerChromium commit bot <commit-bot@chromium.org>2017-11-13 18:35:23 +0000
commitcee39e6e90c219cc91f2c94a912a06977f4461a0 (patch)
tree040d70270e5ff43e67383d745c2fcf2b57ec8f5e /core/fpdfapi
parent9fa5036245c34ce8c420531c5b02e699a861bc18 (diff)
downloadpdfium-cee39e6e90c219cc91f2c94a912a06977f4461a0.tar.xz
Check first page number in IsLinearizedHeaderValid().
This should allow https://pdfium-review.googlesource.com/15770 to safely reland. BUG=chromium:781529 Change-Id: Id0c1bde3280fb72125d8e74751b9a1cb35302b6f Reviewed-on: https://pdfium-review.googlesource.com/18170 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org>
Diffstat (limited to 'core/fpdfapi')
-rw-r--r--core/fpdfapi/parser/cpdf_linearized_header.cpp4
1 files changed, 4 insertions, 0 deletions
diff --git a/core/fpdfapi/parser/cpdf_linearized_header.cpp b/core/fpdfapi/parser/cpdf_linearized_header.cpp
index 3251a5eb9f..994d69f9b6 100644
--- a/core/fpdfapi/parser/cpdf_linearized_header.cpp
+++ b/core/fpdfapi/parser/cpdf_linearized_header.cpp
@@ -7,6 +7,7 @@
#include "core/fpdfapi/parser/cpdf_linearized_header.h"
#include <algorithm>
+#include <limits>
#include <utility>
#include "core/fpdfapi/parser/cpdf_array.h"
@@ -18,6 +19,7 @@
namespace {
constexpr FX_FILESIZE kLinearizedHeaderOffset = 9;
+constexpr size_t kMaxInt = static_cast<size_t>(std::numeric_limits<int>::max());
template <class T>
bool IsValidNumericDictionaryValue(const CPDF_Dictionary* pDict,
@@ -39,6 +41,8 @@ bool IsLinearizedHeaderValid(const CPDF_LinearizedHeader* header,
FX_FILESIZE file_size) {
ASSERT(header);
return header->GetFileSize() == file_size &&
+ static_cast<int>(header->GetFirstPageNo()) >= 0 &&
+ header->GetFirstPageNo() < kMaxInt &&
header->GetMainXRefTableFirstEntryOffset() < file_size &&
header->GetPageCount() > 0 &&
header->GetFirstPageEndOffset() < file_size &&