summaryrefslogtreecommitdiff
path: root/core/fpdfapi
diff options
context:
space:
mode:
authorthestig <thestig@chromium.org>2016-08-11 09:39:29 -0700
committerCommit bot <commit-bot@chromium.org>2016-08-11 09:39:29 -0700
commitc18ffca5a35ab4b2218fadcca4006b3ea09e7875 (patch)
tree665cf8142c70cc032d61dabe44143e72f66db67d /core/fpdfapi
parent22eeccb34f91f9932f7cec295bcaf641ba249e3a (diff)
downloadpdfium-c18ffca5a35ab4b2218fadcca4006b3ea09e7875.tar.xz
Relax a check in CPDF_HintTables.
CPDF_HintTables::ReadSharedObjHintTable() unnecessarily constraints a FX_FILESIZE value to an int32_t. Relax this check, since the result will be stored in |m_szSharedObjOffsetArray| which is of FX_FILESIZE. Bad values in |m_szSharedObjOffsetArray| will still cause hint table loading to eventually fail. BUG=635565 Review-Url: https://codereview.chromium.org/2230883003
Diffstat (limited to 'core/fpdfapi')
-rw-r--r--core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp11
1 files changed, 7 insertions, 4 deletions
diff --git a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
index fd723a8fa8..63a64a3026 100644
--- a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
@@ -296,13 +296,16 @@ FX_BOOL CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream,
m_dwSharedObjNumArray.Add(safeObjNum.ValueOrDie());
if (i == m_nFirstPageSharedObjs) {
- m_szSharedObjOffsetArray.push_back(
- pdfium::base::checked_cast<int32_t>(dwFirstSharedObjLoc));
+ FX_SAFE_FILESIZE safeLoc = dwFirstSharedObjLoc;
+ if (!safeLoc.IsValid())
+ return FALSE;
+
+ m_szSharedObjOffsetArray.push_back(safeLoc.ValueOrDie());
}
}
if (i != 0 && i != m_nFirstPageSharedObjs) {
- FX_SAFE_INT32 safeLoc = pdfium::base::checked_cast<int32_t>(dwPrevObjLen);
+ FX_SAFE_FILESIZE safeLoc = dwPrevObjLen;
safeLoc += m_szSharedObjOffsetArray[i - 1];
if (!safeLoc.IsValid())
return FALSE;
@@ -312,7 +315,7 @@ FX_BOOL CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream,
}
if (dwSharedObjTotal > 0) {
- FX_SAFE_INT32 safeLoc = pdfium::base::checked_cast<int32_t>(dwCurObjLen);
+ FX_SAFE_FILESIZE safeLoc = dwCurObjLen;
safeLoc += m_szSharedObjOffsetArray[dwSharedObjTotal - 1];
if (!safeLoc.IsValid())
return FALSE;