diff options
author | Tom Sepez <tsepez@chromium.org> | 2015-02-05 10:41:08 -0800 |
---|---|---|
committer | Tom Sepez <tsepez@chromium.org> | 2015-02-05 10:41:08 -0800 |
commit | 219b3dab7e184bf8742f61527e37053b04903ff0 (patch) | |
tree | 8ce24202dc2fd5a61774c947e5eecf007bea6bf9 /core | |
parent | dabc5d57bf473708295800a7991bc1fafdf76288 (diff) | |
download | pdfium-219b3dab7e184bf8742f61527e37053b04903ff0.tar.xz |
Fix segv in CPDF_DataAvail::CheckRoot() when /Root object is a string.
Handles the case of this malformed PDF without crashing. Note that to
get a reproducible test case, a small fix is applied to our .py script
which results in some whitespace/numbering difs across the resources
(down the road, we ought to generate them on the fly in an intermediate
directory).
BUG=454695
R=jun_fang@foxitsoftware.com, thestig@chromium.org
Review URL: https://codereview.chromium.org/895933003
Diffstat (limited to 'core')
-rw-r--r-- | core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp index 16274088c0..4ed4c70e27 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp @@ -3390,7 +3390,12 @@ FX_BOOL CPDF_DataAvail::CheckRoot(IFX_DownloadHints* pHints) } return FALSE; } - CPDF_Reference* pRef = (CPDF_Reference*)m_pRoot->GetDict()->GetElement(FX_BSTRC("Pages")); + CPDF_Dictionary* pDict = m_pRoot->GetDict(); + if (!pDict) { + m_docStatus = PDF_DATAAVAIL_ERROR; + return FALSE; + } + CPDF_Reference* pRef = (CPDF_Reference*)pDict->GetElement(FX_BSTRC("Pages")); if (pRef == NULL || pRef->GetType() != PDFOBJ_REFERENCE) { m_docStatus = PDF_DATAAVAIL_ERROR; return FALSE; |