summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp21
1 files changed, 14 insertions, 7 deletions
diff --git a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
index 3b0d2afbe0..445f3bf433 100644
--- a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
@@ -6,6 +6,8 @@
#include "core/fpdfapi/fpdf_parser/cpdf_hint_tables.h"
+#include <limits>
+
#include "core/fpdfapi/fpdf_parser/include/cpdf_array.h"
#include "core/fpdfapi/fpdf_parser/include/cpdf_data_avail.h"
#include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h"
@@ -57,9 +59,14 @@ bool CPDF_HintTables::ReadPageHintTable(CFX_BitStream* hStream) {
return false;
int nStreamOffset = ReadPrimaryHintStreamOffset();
+ if (nStreamOffset < 0)
+ return false;
+
int nStreamLen = ReadPrimaryHintStreamLength();
- if (nStreamOffset < 0 || nStreamLen < 1)
+ if (nStreamLen < 1 ||
+ !pdfium::base::IsValueInRangeForNumericType<FX_FILESIZE>(nStreamLen)) {
return false;
+ }
const uint32_t kHeaderSize = 288;
if (hStream->BitsRemaining() < kHeaderSize)
@@ -68,20 +75,20 @@ bool CPDF_HintTables::ReadPageHintTable(CFX_BitStream* hStream) {
// Item 1: The least number of objects in a page.
const uint32_t dwObjLeastNum = hStream->GetBits(32);
if (!dwObjLeastNum)
- return FALSE;
+ return false;
// Item 2: The location of the first page's page object.
const uint32_t dwFirstObjLoc = hStream->GetBits(32);
if (dwFirstObjLoc > static_cast<uint32_t>(nStreamOffset)) {
- FX_SAFE_UINT32 safeLoc = pdfium::base::checked_cast<uint32_t>(nStreamLen);
+ FX_SAFE_FILESIZE safeLoc = nStreamLen;
safeLoc += dwFirstObjLoc;
if (!safeLoc.IsValid())
return false;
- m_szFirstPageObjOffset =
- pdfium::base::checked_cast<FX_FILESIZE>(safeLoc.ValueOrDie());
+ m_szFirstPageObjOffset = safeLoc.ValueOrDie();
} else {
- m_szFirstPageObjOffset =
- pdfium::base::checked_cast<FX_FILESIZE>(dwFirstObjLoc);
+ if (!pdfium::base::IsValueInRangeForNumericType<FX_FILESIZE>(dwFirstObjLoc))
+ return false;
+ m_szFirstPageObjOffset = dwFirstObjLoc;
}
// Item 3: The number of bits needed to represent the difference