CPDF_HintTables should not try to read 0 bits.

CFX_BitStream::GetBits() got refactored recently, with an assert to not read 0 bits. A fuzzer then discovered code that is trying to do that. BUG=chromium:846394 Change-Id: Ib18b47200c82aab369109b5911540db724172690 Reviewed-on: https://pdfium-review.googlesource.com/32934 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org>
author: Lei Zhang <thestig@chromium.org> 2018-05-24 20:10:22 +0000
committer: Chromium commit bot <commit-bot@chromium.org> 2018-05-24 20:10:22 +0000
commit: 97db69faaeb4f8481f9d8824bff644509949cb0d (patch)
tree: 40d036831b78a790f3c561cf8d789cf077ca0956 /core
parent: 5bf772bade615d8cb3388f677d85785fe0c01824 (diff)
download: pdfium-97db69faaeb4f8481f9d8824bff644509949cb0d.tar.xz
1 files changed, 2 insertions, 2 deletions
diff --git a/core/fpdfapi/parser/cpdf_hint_tables.cpp b/core/fpdfapi/parser/cpdf_hint_tables.cpp
index 123e6594c1..9cd72c7815 100644
--- a/core/fpdfapi/parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/parser/cpdf_hint_tables.cpp
@@ -294,8 +294,8 @@ bool CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream,
   uint32_t dwDeltaGroupLen = hStream->GetBits(16);
 
   // Trying to decode more than 32 bits isn't going to work when we write into
-  // a uint32_t.
-  if (dwDeltaGroupLen > 31)
+  // a uint32_t. Decoding 0 bits also makes no sense.
+  if (!IsValidPageOffsetHintTableBitCount(dwDeltaGroupLen))
     return false;
 
   if (dwFirstSharedObjNum >= CPDF_Parser::kMaxObjectNumber ||
author	Lei Zhang <thestig@chromium.org>	2018-05-24 20:10:22 +0000
committer	Chromium commit bot <commit-bot@chromium.org>	2018-05-24 20:10:22 +0000
commit	97db69faaeb4f8481f9d8824bff644509949cb0d (patch)
tree	40d036831b78a790f3c561cf8d789cf077ca0956 /core
parent	5bf772bade615d8cb3388f677d85785fe0c01824 (diff)
download	pdfium-97db69faaeb4f8481f9d8824bff644509949cb0d.tar.xz