diff options
author | tsepez <tsepez@chromium.org> | 2017-01-18 10:24:35 -0800 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2017-01-18 10:24:36 -0800 |
commit | e507dc5004184ae3f8fd1cd19b723b4be69a46da (patch) | |
tree | 204cdce265b694625374b11661b485054a20cb8d /testing/resources/bug_680376.pdf | |
parent | 19c209de418a10f7d5c157cdda38e9308bfa5503 (diff) | |
download | pdfium-e507dc5004184ae3f8fd1cd19b723b4be69a46da.tar.xz |
Bad indexing in CPDF_Document::FindPageIndex when page tree corrupt.
Moving to std::vector from the more forgiving CFX_ArrayTemplate
revealed the dubious page tree traversal, which depends on the
correctness of the /Count entries to properly summarize the total
descendants under a given node.
The only "correct" thing to do is to throw away these counts as parsed,
and re-compute them, perhaps in CountPages(). But I'm not willing to do
that since it may break unknown documents in the wild.
Pass out-params as pointers while we're at it.
BUG=680376
Review-Url: https://codereview.chromium.org/2636403003
Diffstat (limited to 'testing/resources/bug_680376.pdf')
-rw-r--r-- | testing/resources/bug_680376.pdf | 156 |
1 files changed, 156 insertions, 0 deletions
diff --git a/testing/resources/bug_680376.pdf b/testing/resources/bug_680376.pdf new file mode 100644 index 0000000000..fb01c57613 --- /dev/null +++ b/testing/resources/bug_680376.pdf @@ -0,0 +1,156 @@ +%PDF-1.7 +% ò¤ô +1 0 obj << + /Type /Catalog + /Pages 2 0 R + /Names << + /Dests 10 0 R + >> + /Dests 14 0 R +>> +endobj +2 0 obj << + /Type /Pages + /Count 4 + /Kids [ + 5 0 R + 6 0 R + ] +>> +endobj +% Page number 0. +3 0 obj << + /Type /Page + /Parent 2 0 R + /Resources << + /Font <</F1 15 0 R>> + >> + /Contents [21 0 R] + /MediaBox [0 0 612 792] +>> +endobj +% Page number 1. +4 0 obj << + /Type /Page + /Parent 2 0 R + /Resources << + /Font <</F1 15 0 R>> + >> + /Contents [22 0 R] + /MediaBox [0 0 612 792] +>> +endobj +% Tree node with bad Count, duplicated kids. +5 0 obj << + /Type /Pages + /Parent 2 0 R + /Count 2 + /Kids [ + 3 0 R + 3 0 R + 3 0 R + 3 0 R + ] +>> +endobj +% tree node with actual kids +6 0 obj << + /Type /Pages + /Count 2 + /Kids [ + 3 0 R + 4 0 R + ] +>> +% Root of Dests NameTree +10 0 obj << + /Kids [ + 11 0 R + 12 0 R + ] +>> +endobj +% Left child for Dests NameTree +11 0 obj << + /Names [ + (First) [4 0 R] + ] +>> +endobj +% Right child for Dests NameTree +12 0 obj << + /Names [ + (WrongKey) <</Fail [10 /FitH]>> + (WrongType) /NameNotAllowedHere + ] +>> +endobj +% Old-style top-level Dests dictionary. Note that FirstAlternate +% intentionally references non-exisstant page 11 and LastAlternate +% intentionally references non-existant object 999. +14 0 obj << + /FirstAlternate [11 /XYZ 200 400 800] + /LastAlternate <</D [999 0 R /XYZ 0 0 -200]>> +>> +endobj +% Font resource. +15 0 obj << + /Type /Font + /Subtype /Type1 + /BaseFont /Arial +>> +endobj +% Content for page 0. +21 0 obj << + /Length 0 +>> +stream +BT +/F1 20 Tf +100 600 TD (Page1)Tj +ET +endstream +endobj +% Content for page 1. +22 0 obj << + /Length 0 +>> +stream +BT +/F1 20 Tf +100 600 TD (Page2)Tj +ET +endstream +endobj +xref +0 23 +0000000000 65535 f +0000000015 00000 n +0000000119 00000 n +0000000217 00000 n +0000000378 00000 n +0000000568 00000 n +0000000714 00000 n +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000813 00000 n +0000000903 00000 n +0000000993 00000 n +0000000000 65535 f +0000001287 00000 n +0000001415 00000 n +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000001510 00000 n +0000001620 00000 n +trailer << + /Size 6 + /Root 1 0 R +>> +startxref +1708 +%%EOF |