From 10f9fb3f10bc47b3317fe1c8b55711015fb7de87 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Thu, 5 Apr 2018 17:54:26 +0000
Subject: Ignore bad data in the shared object hint table.

Currently this is being treated as a case of "data not available" which
leads to an infinite loop.

BUG=pdfium:1055

Change-Id: I2722a5b364d56a4ad5b7cca2a4b42e6b13a933f4
Reviewed-on: https://pdfium-review.googlesource.com/29831
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 core/fpdfapi/parser/cpdf_hint_tables.cpp  |   5 +++--
 fpdfsdk/fpdf_view_embeddertest.cpp        |   9 +++++++++
 testing/resources/linearized_bug_1055.pdf | Bin 0 -> 11390 bytes
 3 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 testing/resources/linearized_bug_1055.pdf

diff --git a/core/fpdfapi/parser/cpdf_hint_tables.cpp b/core/fpdfapi/parser/cpdf_hint_tables.cpp
index c9123d4b97..381b160233 100644
--- a/core/fpdfapi/parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/parser/cpdf_hint_tables.cpp
@@ -418,8 +418,9 @@ CPDF_DataAvail::DocAvailStatus CPDF_HintTables::CheckPage(uint32_t index) {
     return CPDF_DataAvail::DataError;
 
   if (!m_pValidator->CheckDataRangeAndRequestIfUnavailable(
-          m_szPageOffsetArray[index], dwLength))
+          m_szPageOffsetArray[index], dwLength)) {
     return CPDF_DataAvail::DataNotAvailable;
+  }
 
   // Download data of shared objects in the page.
   uint32_t offset = 0;
@@ -435,7 +436,7 @@ CPDF_DataAvail::DocAvailStatus CPDF_HintTables::CheckPage(uint32_t index) {
   for (uint32_t j = 0; j < m_dwNSharedObjsArray[index]; ++j) {
     dwIndex = m_dwIdentifierArray[offset + j];
     if (dwIndex >= m_dwSharedObjNumArray.size())
-      return CPDF_DataAvail::DataNotAvailable;
+      continue;
 
     dwObjNum = m_dwSharedObjNumArray[dwIndex];
     if (dwObjNum >= static_cast<uint32_t>(nFirstPageObjNum) &&
diff --git a/fpdfsdk/fpdf_view_embeddertest.cpp b/fpdfsdk/fpdf_view_embeddertest.cpp
index 0bfa1a30b2..8d2cd3af1b 100644
--- a/fpdfsdk/fpdf_view_embeddertest.cpp
+++ b/fpdfsdk/fpdf_view_embeddertest.cpp
@@ -390,6 +390,15 @@ TEST_F(FPDFViewEmbeddertest, Hang_360) {
   EXPECT_FALSE(OpenDocument("bug_360.pdf"));
 }
 
+// Deliberately damaged version of linearized.pdf with bad data in the shared
+// object hint table.
+TEST_F(FPDFViewEmbeddertest, Hang_1055) {
+  EXPECT_TRUE(OpenDocumentLinearized("linearized_bug_1055.pdf"));
+  int version;
+  EXPECT_TRUE(FPDF_GetFileVersion(document(), &version));
+  EXPECT_EQ(16, version);
+}
+
 void FPDFViewEmbeddertest::TestRenderPageBitmapWithMatrix(
     FPDF_PAGE page,
     const int bitmap_width,
diff --git a/testing/resources/linearized_bug_1055.pdf b/testing/resources/linearized_bug_1055.pdf
new file mode 100644
index 0000000000..2f0f493b42
Binary files /dev/null and b/testing/resources/linearized_bug_1055.pdf differ
-- 
cgit v1.2.3