From 19dee922f1284294bed29b26a67cce1d2ee3a48f Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Wed, 13 Jan 2016 12:19:21 -0800 Subject: Merge to XFA: Fix out of bound access in CPDF_Parser::ParseIndirectObject(). This regressed in commit f6dafc9. BUG=576915 TBR=tsepez@chromium.org Review URL: https://codereview.chromium.org/1582763002 . (cherry picked from commit e02f30bb59b01c159b010fc5c6bb55e677aba8ce) Review URL: https://codereview.chromium.org/1584663003 . --- core/include/fpdfapi/fpdf_parser.h | 1 + .../src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 22 +++++++++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/core/include/fpdfapi/fpdf_parser.h b/core/include/fpdfapi/fpdf_parser.h index 84eacf6bf5..fda4557119 100644 --- a/core/include/fpdfapi/fpdf_parser.h +++ b/core/include/fpdfapi/fpdf_parser.h @@ -475,6 +475,7 @@ class CPDF_Parser { void SetEncryptDictionary(CPDF_Dictionary* pDict); FX_FILESIZE GetObjectPositionOrZero(FX_DWORD objnum) const; + void ShrinkObjectMap(FX_DWORD size); CPDF_Document* m_pDocument; diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp index 641e1e18ff..73da3619bb 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp @@ -143,6 +143,22 @@ FX_FILESIZE CPDF_Parser::GetObjectPositionOrZero(FX_DWORD objnum) const { return it != m_ObjectInfo.end() ? it->second.pos : 0; } +void CPDF_Parser::ShrinkObjectMap(FX_DWORD objnum) { + if (objnum == 0) { + m_ObjectInfo.clear(); + return; + } + + auto it = m_ObjectInfo.lower_bound(objnum); + while (it != m_ObjectInfo.end()) { + auto saved_it = it++; + m_ObjectInfo.erase(saved_it); + } + + if (!pdfium::ContainsKey(m_ObjectInfo, objnum - 1)) + m_ObjectInfo[objnum - 1].pos = 0; +} + void CPDF_Parser::CloseParser(FX_BOOL bReParse) { m_bVersionUpdated = FALSE; if (!bReParse) { @@ -379,7 +395,7 @@ FX_BOOL CPDF_Parser::LoadAllCrossRefV4(FX_FILESIZE xrefpos) { if (xrefsize <= 0 || xrefsize > kMaxXRefSize) { return FALSE; } - m_ObjectInfo[0].pos = 0; + ShrinkObjectMap(xrefsize); m_V5Type.SetSize(xrefsize); CFX_FileSizeArray CrossRefList; CFX_FileSizeArray XRefStreamList; @@ -1029,7 +1045,7 @@ FX_BOOL CPDF_Parser::LoadCrossRefV5(FX_FILESIZE* pos, FX_BOOL bMainXRef) { } if (bMainXRef) { m_pTrailer = ToDictionary(pStream->GetDict()->Clone()); - m_ObjectInfo[0].pos = 0; + ShrinkObjectMap(size); if (m_V5Type.SetSize(size)) { FXSYS_memset(m_V5Type.GetData(), 0, size); } @@ -1607,7 +1623,7 @@ FX_DWORD CPDF_Parser::StartAsynParse(IFX_FileRead* pFileAccess, int32_t xrefsize = GetDirectInteger(m_pTrailer, "Size"); if (xrefsize > 0) { - m_ObjectInfo[0].pos = 0; + ShrinkObjectMap(xrefsize); m_V5Type.SetSize(xrefsize); } } -- cgit v1.2.3