diff options
author | Chris Palmer <palmer@google.com> | 2014-07-18 15:18:43 -0700 |
---|---|---|
committer | Chris Palmer <palmer@google.com> | 2014-07-18 15:18:43 -0700 |
commit | 98a44a176d137083434587fb5ebc53c6d963ff7f (patch) | |
tree | bb276e4674360135ba9eda2c6299b00f6dfb5bc8 /core | |
parent | 5ffacd677a141ed2756009b0f4a07ee4cf284a1b (diff) | |
download | pdfium-98a44a176d137083434587fb5ebc53c6d963ff7f.tar.xz |
Fix the potential integer overflow from "offset + size".
BUG=382667
R=jschuh@chromium.org, jun_fang@foxitsoftware.com
Review URL: https://codereview.chromium.org/390983007
Diffstat (limited to 'core')
-rw-r--r-- | core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp index f82bf3a861..14597d989c 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp @@ -2864,13 +2864,27 @@ FX_BOOL CPDF_DataAvail::IsObjectsAvail(CFX_PtrArray& obj_array, FX_BOOL bParsePa CPDF_Reference *pRef = (CPDF_Reference*)pObj; FX_DWORD dwNum = pRef->GetRefObjNum(); FX_FILESIZE offset; - FX_DWORD size = GetObjectSize(pRef->GetRefObjNum(), offset); - if (!size) { + FX_DWORD original_size = GetObjectSize(dwNum, offset); + base::CheckedNumeric<FX_DWORD> size = original_size; + if (size.ValueOrDefault(0) == 0 || offset < 0 || offset >= m_dwFileLen) { break; } - size = (FX_DWORD)((FX_FILESIZE)(offset + size + 512) > m_dwFileLen ? m_dwFileLen - offset : size + 512); - if (!m_pFileAvail->IsDataAvail(offset, size)) { - pHints->AddSegment(offset, size); + + size += offset; + size += 512; + if (!size.IsValid()) { + break; + } + if (size.ValueOrDie() > m_dwFileLen) { + size = m_dwFileLen - offset; + } else { + size = original_size + 512; + } + if (!size.IsValid()) { + break; + } + if (!m_pFileAvail->IsDataAvail(offset, size.ValueOrDie())) { + pHints->AddSegment(offset, size.ValueOrDie()); ret_array.Add(pObj); count++; } else if (!m_objnum_array.Find(dwNum)) { |