From 219b3dab7e184bf8742f61527e37053b04903ff0 Mon Sep 17 00:00:00 2001 From: Tom Sepez Date: Thu, 5 Feb 2015 10:41:08 -0800 Subject: Fix segv in CPDF_DataAvail::CheckRoot() when /Root object is a string. Handles the case of this malformed PDF without crashing. Note that to get a reproducible test case, a small fix is applied to our .py script which results in some whitespace/numbering difs across the resources (down the road, we ought to generate them on the fly in an intermediate directory). BUG=454695 R=jun_fang@foxitsoftware.com, thestig@chromium.org Review URL: https://codereview.chromium.org/895933003 --- .../src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 7 +++- fpdfsdk/src/fpdfview_embeddertest.cpp | 4 ++ testing/resources/bug_451265.pdf | 30 +++++++------- testing/resources/bug_452455.pdf | 36 ++++++++--------- testing/resources/bug_454695.in | 12 ++++++ testing/resources/bug_454695.pdf | 17 ++++++++ testing/resources/bug_57.pdf | 12 +++--- testing/resources/hello_world.pdf | 14 +++---- testing/resources/named_dests.pdf | 46 +++++++++++----------- testing/resources/trailer_as_hexstring.pdf | 9 +++-- testing/resources/trailer_unterminated.pdf | 8 ++-- testing/resources/weblinks.pdf | 14 +++---- testing/tools/fixup_pdf_template.py | 6 ++- 13 files changed, 128 insertions(+), 87 deletions(-) create mode 100644 testing/resources/bug_454695.in create mode 100644 testing/resources/bug_454695.pdf diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp index 16274088c0..4ed4c70e27 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp @@ -3390,7 +3390,12 @@ FX_BOOL CPDF_DataAvail::CheckRoot(IFX_DownloadHints* pHints) } return FALSE; } - CPDF_Reference* pRef = (CPDF_Reference*)m_pRoot->GetDict()->GetElement(FX_BSTRC("Pages")); + CPDF_Dictionary* pDict = m_pRoot->GetDict(); + if (!pDict) { + m_docStatus = PDF_DATAAVAIL_ERROR; + return FALSE; + } + CPDF_Reference* pRef = (CPDF_Reference*)pDict->GetElement(FX_BSTRC("Pages")); if (pRef == NULL || pRef->GetType() != PDFOBJ_REFERENCE) { m_docStatus = PDF_DATAAVAIL_ERROR; return FALSE; diff --git a/fpdfsdk/src/fpdfview_embeddertest.cpp b/fpdfsdk/src/fpdfview_embeddertest.cpp index 04549741ec..47119b5c52 100644 --- a/fpdfsdk/src/fpdfview_embeddertest.cpp +++ b/fpdfsdk/src/fpdfview_embeddertest.cpp @@ -190,3 +190,7 @@ TEST_F(FPDFViewEmbeddertest, Crasher_452455) { FPDF_PAGE page = LoadPage(0); EXPECT_NE(nullptr, page); } + +TEST_F(FPDFViewEmbeddertest, Crasher3) { + EXPECT_TRUE(OpenDocument("testing/resources/bug_454695.pdf")); +} diff --git a/testing/resources/bug_451265.pdf b/testing/resources/bug_451265.pdf index 299363dac7..2a154771aa 100644 --- a/testing/resources/bug_451265.pdf +++ b/testing/resources/bug_451265.pdf @@ -74,21 +74,21 @@ endstream endobj xref 0 15 -0000000000 65536 f -0000000015 00000 n -0000000078 00000 n -0000000131 00000 n -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000221 00000 n -0000000348 00000 n -0000000405 00000 n -0000000531 00000 n -0000000712 00000 n +0000000000 65535 f +0000000015 00000 n +0000000078 00000 n +0000000131 00000 n +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000221 00000 n +0000000348 00000 n +0000000405 00000 n +0000000531 00000 n +0000000712 00000 n trailer << /Root 2 0 R /Size 110 diff --git a/testing/resources/bug_452455.pdf b/testing/resources/bug_452455.pdf index 35d067cb29..95ab801884 100644 --- a/testing/resources/bug_452455.pdf +++ b/testing/resources/bug_452455.pdf @@ -57,24 +57,24 @@ endobj endobj xref 0 18 -0000000000 65536 f -0000000015 00000 n -0000000068 00000 n -0000000131 00000 n -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000221 00000 n -0000000280 00000 n -0000000340 00000 n -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000555 00000 n -0000000389 00000 n +0000000000 65535 f +0000000015 00000 n +0000000068 00000 n +0000000131 00000 n +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000221 00000 n +0000000280 00000 n +0000000340 00000 n +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000555 00000 n +0000000389 00000 n trailer << /Root 1 0 R >> diff --git a/testing/resources/bug_454695.in b/testing/resources/bug_454695.in new file mode 100644 index 0000000000..36ae84cb0d --- /dev/null +++ b/testing/resources/bug_454695.in @@ -0,0 +1,12 @@ +{{header}} +% Hex string, not a dict as expected. +{{object 1 0}} + +endobj +{{xref}} +trailer << + /Size 2 + /Root 1 0 R +>> +{{startxref}} +%%EOF diff --git a/testing/resources/bug_454695.pdf b/testing/resources/bug_454695.pdf new file mode 100644 index 0000000000..382194f9e8 --- /dev/null +++ b/testing/resources/bug_454695.pdf @@ -0,0 +1,17 @@ +%PDF-1.7 +% ò¤ô +% Hex string, not a dict as expected +1 0 obj + +endobj +xref +0 2 +0000000000 65535 f +0000000052 00000 n +trailer << + /Size 2 + /Root 1 0 R +>> +startxref +82 +%%EOF diff --git a/testing/resources/bug_57.pdf b/testing/resources/bug_57.pdf index d954c43f54..0c3f7dfdab 100644 --- a/testing/resources/bug_57.pdf +++ b/testing/resources/bug_57.pdf @@ -42,12 +42,12 @@ endstream endobj xref 0 6 -0000000000 65536 f -0000000015 00000 n -0000000061 00000 n -0000000154 00000 n -0000000280 00000 n -0000000409 00000 n +0000000000 65535 f +0000000015 00000 n +0000000061 00000 n +0000000154 00000 n +0000000280 00000 n +0000000409 00000 n trailer << /Size 6 /Root 1 0 R diff --git a/testing/resources/hello_world.pdf b/testing/resources/hello_world.pdf index 84e77057cb..bb4f0a88e7 100644 --- a/testing/resources/hello_world.pdf +++ b/testing/resources/hello_world.pdf @@ -50,13 +50,13 @@ endstream endobj xref 0 7 -0000000000 65536 f -0000000015 00000 n -0000000061 00000 n -0000000154 00000 n -0000000296 00000 n -0000000374 00000 n -0000000450 00000 n +0000000000 65535 f +0000000015 00000 n +0000000061 00000 n +0000000154 00000 n +0000000296 00000 n +0000000374 00000 n +0000000450 00000 n trailer << /Size 6 /Root 1 0 R diff --git a/testing/resources/named_dests.pdf b/testing/resources/named_dests.pdf index e302c196d6..2e0e5ce71d 100644 --- a/testing/resources/named_dests.pdf +++ b/testing/resources/named_dests.pdf @@ -103,29 +103,29 @@ endstream endobj xref 0 23 -0000000000 65536 f -0000000015 00000 n -0000000119 00000 n -0000000217 00000 n -0000000378 00000 n -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000548 00000 n -0000000638 00000 n -0000000766 00000 n -0000000000 65536 f -0000001060 00000 n -0000001188 00000 n -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000000000 65536 f -0000001283 00000 n -0000001393 00000 n +0000000000 65535 f +0000000015 00000 n +0000000119 00000 n +0000000217 00000 n +0000000378 00000 n +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000548 00000 n +0000000638 00000 n +0000000766 00000 n +0000000000 65535 f +0000001060 00000 n +0000001188 00000 n +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000000000 65535 f +0000001283 00000 n +0000001393 00000 n trailer << /Size 6 /Root 1 0 R diff --git a/testing/resources/trailer_as_hexstring.pdf b/testing/resources/trailer_as_hexstring.pdf index 5b75a53afa..bd94c4779d 100644 --- a/testing/resources/trailer_as_hexstring.pdf +++ b/testing/resources/trailer_as_hexstring.pdf @@ -25,10 +25,11 @@ endobj endobj xref 0 4 -0000000000 65536 f -0000000015 00000 n -0000000119 00000 n -0000000190 00000 n +0000000000 65535 f +0000000015 00000 n +0000000119 00000 n +0000000190 00000 n +% trailer erroneously contains a hex string, not a dictionary. trailer <0000deadbabe0000> startxref 267 diff --git a/testing/resources/trailer_unterminated.pdf b/testing/resources/trailer_unterminated.pdf index b01ec4b67d..be59202db4 100644 --- a/testing/resources/trailer_unterminated.pdf +++ b/testing/resources/trailer_unterminated.pdf @@ -25,10 +25,10 @@ endobj endobj xref 0 4 -0000000000 65536 f -0000000015 00000 n -0000000119 00000 n -0000000190 00000 n +0000000000 65535 f +0000000015 00000 n +0000000119 00000 n +0000000190 00000 n % closing angle-brackets not present for trailer dictionary. trailer << /Size 6 diff --git a/testing/resources/weblinks.pdf b/testing/resources/weblinks.pdf index 3921a37c79..0d201a45aa 100644 --- a/testing/resources/weblinks.pdf +++ b/testing/resources/weblinks.pdf @@ -60,13 +60,13 @@ endstream endobj xref 0 7 -0000000000 65536 f -0000000015 00000 n -0000000061 00000 n -0000000154 00000 n -0000000374 00000 n -0000000000 65536 f -0000000450 00000 n +0000000000 65535 f +0000000015 00000 n +0000000061 00000 n +0000000154 00000 n +0000000374 00000 n +0000000000 65535 f +0000000450 00000 n trailer << /Size 6 /Root 1 0 R diff --git a/testing/tools/fixup_pdf_template.py b/testing/tools/fixup_pdf_template.py index 873caeedde..87996a42cd 100755 --- a/testing/tools/fixup_pdf_template.py +++ b/testing/tools/fixup_pdf_template.py @@ -24,8 +24,10 @@ class TemplateProcessor: XREF_TOKEN = '{{xref}}' XREF_REPLACEMENT = 'xref\n%d %d\n' - XREF_REPLACEMENT_N = '%010d %05d n\n' - XREF_REPLACEMENT_F = '0000000000 65536 f\n' + + # XREF rows must be exactly 20 bytes - space required. + XREF_REPLACEMENT_N = '%010d %05d n \n' + XREF_REPLACEMENT_F = '0000000000 65535 f \n' STARTXREF_TOKEN= '{{startxref}}' STARTXREF_REPLACEMENT = 'startxref\n%d' -- cgit v1.2.3