diff options
| author | Tom Sepez <tsepez@chromium.org> | 2015-04-27 13:24:03 -0700 |
|---|---|---|
| committer | Tom Sepez <tsepez@chromium.org> | 2015-04-27 13:24:03 -0700 |
| commit | bb93b0ba5b3c430d3b996e2c009d48feb17a44c3 (patch) | |
| tree | 6f62b5280dd1755d8b52c775484b20cbe22fd7d5 /testing | |
| parent | 99ee3d3527bc00f83f01e1db007d190a6b3458f5 (diff) | |
| download | pdfium-bb93b0ba5b3c430d3b996e2c009d48feb17a44c3.tar.xz | |
SEGV in CFX_BaseSegmentedArray::Iterate() when CS has malformed dictionary.
Failure to check document-controlled value before using it.
BUG=481363
R=palmer@chromium.org, thestig@chromium.org
Review URL: https://codereview.chromium.org/1110653002
Diffstat (limited to 'testing')
| -rw-r--r-- | testing/resources/bug_481363.in | 52 | ||||
| -rw-r--r-- | testing/resources/bug_481363.pdf | 62 |
2 files changed, 114 insertions, 0 deletions
diff --git a/testing/resources/bug_481363.in b/testing/resources/bug_481363.in new file mode 100644 index 0000000000..32a724d363 --- /dev/null +++ b/testing/resources/bug_481363.in @@ -0,0 +1,52 @@ +{{header}} +{{object 1 0}} << + /Type /Pages + /Kids [2 0 R] + /Count 1 +>> +endobj +{{object 2 0}} << +<< + /Type /Page + /Parent 1 0 R + /MediaBox [0 0 612 792] + /Contents [4 0 R] + /Resources << + /Font <</F1 5 0 R>> + /ColorSpace<</CS1 6 0 R>> + >> +>> +endobj +{{object 3 0}} << + /Type /Catalog + /Pages 1 0 R +>> +endobj +{{object 4 0}} << + /Length 0 +>> stream +/CS1 cs 0 -100 -100 sc +100 500 100 100 re b +endstream +endobj +{{object 5 0)) << + /Type /Font + /Subtype /Type1 + /BaseFont /He +>> +endobj +% Dictionary object malformed: 4< vs <<. +{{object 6 0}} [ + /Lab 4< + /WhitePoint [0.9505 1.00 1.0890 ] + /Range [-100 100 -100 100 ] + >> +] +endobj +{{xref}} +trailer << + /Size 0 + /Root 3 0 R +>> +{{startxref}} +%%EOF diff --git a/testing/resources/bug_481363.pdf b/testing/resources/bug_481363.pdf new file mode 100644 index 0000000000..53468a0412 --- /dev/null +++ b/testing/resources/bug_481363.pdf @@ -0,0 +1,62 @@ +%PDF-1.7 +% ò¤ô +1 0 obj << + /Type /Pages + /Kids [2 0 R] + /Count 1 +>> +endobj +2 0 obj << +<< + /Type /Page + /Parent 1 0 R + /MediaBox [0 0 612 792] + /Contents [4 0 R] + /Resources << + /Font <</F1 5 0 R>> + /ColorSpace<</CS1 6 0 R>> + >> +>> +endobj +3 0 obj << + /Type /Catalog + /Pages 1 0 R +>> +endobj +4 0 obj << + /Length 0 +>> stream +/CS1 cs 0 -100 -100 sc +100 500 100 100 re b +endstream +endobj +{{object 5 0)) << + /Type /Font + /Subtype /Type1 + /BaseFont /He +>> +endobj +% Dictionary object malformed: 4< vs <<. +6 0 obj [ + /Lab 4< + /WhitePoint [0.9505 1.00 1.0890 ] + /Range [-100 100 -100 100 ] + >> +] +endobj +xref +0 7 +0000000000 65535 f +0000000015 00000 n +0000000078 00000 n +0000000253 00000 n +0000000306 00000 n +0000000000 65535 f +0000000517 00000 n +trailer << + /Size 0 + /Root 3 0 R +>> +startxref +621 +%%EOF |