summaryrefslogtreecommitdiff
path: root/core/fpdfapi
diff options
context:
space:
mode:
authorArtem Strygin <art-snake@yandex-team.ru>2018-07-30 16:30:28 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-07-30 16:30:28 +0000
commit552f1ec14f94c09fce4126b5e72d3c02c150ab35 (patch)
tree32f754697b792fd2c0b2facb19f9f99bad2979af /core/fpdfapi
parent8584902d81ffabc06bb4895f558e375e5429fe72 (diff)
downloadpdfium-552f1ec14f94c09fce4126b5e72d3c02c150ab35.tar.xz
Check maximum bit count of shared group object numbers.
Bug: chromium:868477 Change-Id: I5957c5ef051bc4fa8eb51efa6a7fc142996742c5 Reviewed-on: https://pdfium-review.googlesource.com/39130 Commit-Queue: Art Snake <art-snake@yandex-team.ru> Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Diffstat (limited to 'core/fpdfapi')
-rw-r--r--core/fpdfapi/parser/cpdf_hint_tables.cpp2
1 files changed, 2 insertions, 0 deletions
diff --git a/core/fpdfapi/parser/cpdf_hint_tables.cpp b/core/fpdfapi/parser/cpdf_hint_tables.cpp
index 8d8aa3263a..71fb6e2843 100644
--- a/core/fpdfapi/parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/parser/cpdf_hint_tables.cpp
@@ -252,6 +252,8 @@ bool CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream,
// Item 5: The number of bits needed to represent the greatest number of
// objects in a shared object group.
uint32_t dwSharedObjNumBits = hStream->GetBits(16);
+ if (dwSharedObjNumBits > 32)
+ return false;
// Item 6: The least length of a shared object group in bytes.
uint32_t dwGroupLeastLen = hStream->GetBits(32);