Check bits to decode will fit before decoding

When decoding the CPDF_HintTable we read the dwDeltaGroupLen value out
of the input stream which is a 16bit number. That value is then passed
in to read a uint32_t of the object number. If we have a group length of
> 32 bits we'll cause an undefined shift when we attempt to shift right
more then 32 bits.

This Cl bails out early if the dwDeltaGroupLen value is > 32 in order to
stop the undefined shifts.

Bug: chromium:718505
Change-Id: I919d6f4cd19826094a5e44d3a65d758029f5c236
Reviewed-on: https://pdfium-review.googlesource.com/5090
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>

1 files changed, 5 insertions, 0 deletions

diff --git a/core/fpdfapi/parser/cpdf_hint_tables.cpp b/core/fpdfapi/parser/cpdf_hint_tables.cpp
index 24abf5dd13..6a84143f9e 100644
--- a/core/fpdfapi/parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/parser/cpdf_hint_tables.cpp
@@ -290,6 +290,11 @@ bool CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream,
   // greatest and least length of a shared object group, in bytes.
   uint32_t dwDeltaGroupLen = hStream->GetBits(16);
 
+  // Trying to decode more than 32 bits isn't going to work when we write into
+  // a uint32_t.
+  if (dwDeltaGroupLen > 31)
+    return false;
+
   if (dwFirstSharedObjNum >= CPDF_Parser::kMaxObjectNumber ||
       m_nFirstPageSharedObjs >= CPDF_Parser::kMaxObjectNumber ||
       dwSharedObjTotal >= CPDF_Parser::kMaxObjectNumber) {