diff options
| author | Lei Zhang <thestig@chromium.org> | 2018-08-06 18:25:03 +0000 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2018-08-06 18:25:03 +0000 |
| commit | f3a3393a2f96bb8c4cc275ee67921e2b7bddf540 (patch) | |
| tree | bd59ca037a1036ea5a1816deb14194adb03279d9 /core/fpdfapi | |
| parent | 29201324de188dc3f88d835a90af18e10f5ff868 (diff) | |
| download | pdfium-f3a3393a2f96bb8c4cc275ee67921e2b7bddf540.tar.xz | |
Avoid invalid object numbers in CPDF_Parser::LoadCrossRefV5().chromium/3515
BUG=chromium:865272
Change-Id: I4606bdfd78ebd6553c36b985b4f49d07b579ac40
Reviewed-on: https://pdfium-review.googlesource.com/39438
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Art Snake <art-snake@yandex-team.ru>
Diffstat (limited to 'core/fpdfapi')
| -rw-r--r-- | core/fpdfapi/parser/cpdf_parser.cpp | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp index e070d2f733..9bb9bf22d7 100644 --- a/core/fpdfapi/parser/cpdf_parser.cpp +++ b/core/fpdfapi/parser/cpdf_parser.cpp @@ -757,14 +757,18 @@ bool CPDF_Parser::LoadCrossRefV5(FX_FILESIZE* pos, bool bMainXRef) { } const uint32_t objnum = startnum + i; - if (GetObjectType(objnum) == ObjectType::kNull) { + if (objnum >= CPDF_Parser::kMaxObjectNumber) + continue; + + const ObjectType existing_type = GetObjectType(objnum); + if (existing_type == ObjectType::kNull) { uint32_t offset = GetVarInt(entrystart + WidthArray[0], WidthArray[1]); if (pdfium::base::IsValueInRangeForNumericType<FX_FILESIZE>(offset)) m_CrossRefTable->AddNormal(objnum, 0, offset); continue; } - if (GetObjectType(objnum) != ObjectType::kFree) + if (existing_type != ObjectType::kFree) continue; if (type == ObjectType::kFree) { |