summaryrefslogtreecommitdiff
path: root/core/fpdfapi
diff options
context:
space:
mode:
authorLei Zhang <thestig@chromium.org>2018-08-06 18:25:03 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-08-06 18:25:03 +0000
commitf3a3393a2f96bb8c4cc275ee67921e2b7bddf540 (patch)
treebd59ca037a1036ea5a1816deb14194adb03279d9 /core/fpdfapi
parent29201324de188dc3f88d835a90af18e10f5ff868 (diff)
downloadpdfium-f3a3393a2f96bb8c4cc275ee67921e2b7bddf540.tar.xz
Avoid invalid object numbers in CPDF_Parser::LoadCrossRefV5().chromium/3515
BUG=chromium:865272 Change-Id: I4606bdfd78ebd6553c36b985b4f49d07b579ac40 Reviewed-on: https://pdfium-review.googlesource.com/39438 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Art Snake <art-snake@yandex-team.ru>
Diffstat (limited to 'core/fpdfapi')
-rw-r--r--core/fpdfapi/parser/cpdf_parser.cpp8
1 files changed, 6 insertions, 2 deletions
diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp
index e070d2f733..9bb9bf22d7 100644
--- a/core/fpdfapi/parser/cpdf_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_parser.cpp
@@ -757,14 +757,18 @@ bool CPDF_Parser::LoadCrossRefV5(FX_FILESIZE* pos, bool bMainXRef) {
}
const uint32_t objnum = startnum + i;
- if (GetObjectType(objnum) == ObjectType::kNull) {
+ if (objnum >= CPDF_Parser::kMaxObjectNumber)
+ continue;
+
+ const ObjectType existing_type = GetObjectType(objnum);
+ if (existing_type == ObjectType::kNull) {
uint32_t offset = GetVarInt(entrystart + WidthArray[0], WidthArray[1]);
if (pdfium::base::IsValueInRangeForNumericType<FX_FILESIZE>(offset))
m_CrossRefTable->AddNormal(objnum, 0, offset);
continue;
}
- if (GetObjectType(objnum) != ObjectType::kFree)
+ if (existing_type != ObjectType::kFree)
continue;
if (type == ObjectType::kFree) {