From 1569728e9f5a60b033e530ee1d4cd99e467649da Mon Sep 17 00:00:00 2001 From: JUN FANG Date: Fri, 10 Apr 2015 13:45:43 -0700 Subject: Fix a stack overflow in CPDF_Parser::LoadCrossRefV5 A stack overflow was triggered by checked_cast due to invalid index in pdf files like 'Index[45 -1661]'. BUG=473400 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1054303005 --- core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp index 592f24f40b..4be403bba6 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp @@ -1039,7 +1039,11 @@ FX_BOOL CPDF_Parser::LoadCrossRefV5(FX_FILESIZE pos, FX_FILESIZE& prev, FX_BOOL CPDF_Object* pCountObj = pArray->GetElement(i * 2 + 1); if (pStartNumObj && pStartNumObj->GetType() == PDFOBJ_NUMBER && pCountObj && pCountObj->GetType() == PDFOBJ_NUMBER) { - arrIndex.push_back(std::make_pair(pStartNumObj->GetInteger(), pCountObj->GetInteger())); + int nStartNum = pStartNumObj->GetInteger(); + int nCount = pCountObj->GetInteger(); + if (nStartNum >= 0 && nCount > 0) { + arrIndex.push_back(std::make_pair(nStartNum, nCount)); + } } } } -- cgit v1.2.3