summaryrefslogtreecommitdiff
path: root/core/src
diff options
context:
space:
mode:
authorJUN FANG <jun_fang@foxitsoftware.com>2015-04-10 13:45:43 -0700
committerJUN FANG <jun_fang@foxitsoftware.com>2015-04-10 14:15:47 -0700
commitb739aab3e0345afc22c325ed62e226df6b1e3965 (patch)
treedc4a6e796ecd4d88d69ba21073d589a983269931 /core/src
parent441932f7f17435a4385a4ca0a384b9e763ddb3bc (diff)
downloadpdfium-b739aab3e0345afc22c325ed62e226df6b1e3965.tar.xz
Merge to XFA: Fix a stack overflow in CPDF_Parser::LoadCrossRefV5
A stack overflow was triggered by checked_cast due to invalid index in pdf files like 'Index[45 -1661]'. BUG=473400 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1054303005
Diffstat (limited to 'core/src')
-rw-r--r--core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp6
1 files changed, 5 insertions, 1 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index 862852e7b7..5a7837dc71 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -1043,7 +1043,11 @@ FX_BOOL CPDF_Parser::LoadCrossRefV5(FX_FILESIZE pos, FX_FILESIZE& prev, FX_BOOL
CPDF_Object* pCountObj = pArray->GetElement(i * 2 + 1);
if (pStartNumObj && pStartNumObj->GetType() == PDFOBJ_NUMBER
&& pCountObj && pCountObj->GetType() == PDFOBJ_NUMBER) {
- arrIndex.push_back(std::make_pair(pStartNumObj->GetInteger(), pCountObj->GetInteger()));
+ int nStartNum = pStartNumObj->GetInteger();
+ int nCount = pCountObj->GetInteger();
+ if (nStartNum >= 0 && nCount > 0) {
+ arrIndex.push_back(std::make_pair(nStartNum, nCount));
+ }
}
}
}