diff options
author | Dan Sinclair <dsinclair@chromium.org> | 2017-05-08 14:16:51 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-05-08 18:38:02 +0000 |
commit | 486f141ed1fa5b92f59d403c4b549ede2ea1a2c8 (patch) | |
tree | e91cc72d308c7e3ffa5e40403157de54568b5d23 /fxjs | |
parent | 1ef04c9bc0c19dd815f64ec48e7eef106cf88b49 (diff) | |
download | pdfium-486f141ed1fa5b92f59d403c4b549ede2ea1a2c8.tar.xz |
Check bits to decode will fit before decoding
When decoding the CPDF_HintTable we read the dwDeltaGroupLen value out
of the input stream which is a 16bit number. That value is then passed
in to read a uint32_t of the object number. If we have a group length of
> 32 bits we'll cause an undefined shift when we attempt to shift right
more then 32 bits.
This Cl bails out early if the dwDeltaGroupLen value is > 32 in order to
stop the undefined shifts.
Bug: chromium:718505
Change-Id: I919d6f4cd19826094a5e44d3a65d758029f5c236
Reviewed-on: https://pdfium-review.googlesource.com/5090
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'fxjs')
0 files changed, 0 insertions, 0 deletions