From 2d282243dbd1edd51d42e13f563903a1a76ce8f8 Mon Sep 17 00:00:00 2001 From: Bo Xu Date: Fri, 19 Sep 2014 15:58:46 -0700 Subject: Fix a bug when assign the generation number of indirect objects BUG=408532 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/524443002 --- .../src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 28 ++++++++++++---------- core/src/fxcrt/fx_basic_gcc.cpp | 4 ++++ 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp index 73ae71cda0..e9c0fdd227 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp @@ -1312,8 +1312,8 @@ void CPDF_Parser::GetIndirectBinary(FX_DWORD objnum, FX_LPBYTE& pBuffer, FX_DWOR m_Syntax.RestorePos(SavedPos); return; } - FX_DWORD real_objnum = FXSYS_atoi(word); - if (real_objnum && real_objnum != objnum) { + FX_DWORD parser_objnum = FXSYS_atoi(word); + if (parser_objnum && parser_objnum != objnum) { m_Syntax.RestorePos(SavedPos); return; } @@ -1377,8 +1377,8 @@ CPDF_Object* CPDF_Parser::ParseIndirectObjectAt(CPDF_IndirectObjects* pObjList, } FX_FILESIZE objOffset = m_Syntax.SavePos(); objOffset -= word.GetLength(); - FX_DWORD real_objnum = FXSYS_atoi(word); - if (objnum && real_objnum != objnum) { + FX_DWORD parser_objnum = FXSYS_atoi(word); + if (objnum && parser_objnum != objnum) { m_Syntax.RestorePos(SavedPos); return NULL; } @@ -1387,21 +1387,23 @@ CPDF_Object* CPDF_Parser::ParseIndirectObjectAt(CPDF_IndirectObjects* pObjList, m_Syntax.RestorePos(SavedPos); return NULL; } - FX_DWORD gennum = FXSYS_atoi(word); + FX_DWORD parser_gennum = FXSYS_atoi(word); if (m_Syntax.GetKeyword() != FX_BSTRC("obj")) { m_Syntax.RestorePos(SavedPos); return NULL; } - CPDF_Object* pObj = m_Syntax.GetObject(pObjList, objnum, gennum, 0, pContext); + CPDF_Object* pObj = m_Syntax.GetObject(pObjList, objnum, parser_gennum, 0, pContext); FX_FILESIZE endOffset = m_Syntax.SavePos(); CFX_ByteString bsWord = m_Syntax.GetKeyword(); if (bsWord == FX_BSTRC("endobj")) { endOffset = m_Syntax.SavePos(); } m_Syntax.RestorePos(SavedPos); - if (pObj && !objnum) { - pObj->m_ObjNum = real_objnum; - pObj->m_GenNum = gennum; + if (pObj) { + if (!objnum) { + pObj->m_ObjNum = parser_objnum; + } + pObj->m_GenNum = parser_gennum; } return pObj; } @@ -1416,8 +1418,8 @@ CPDF_Object* CPDF_Parser::ParseIndirectObjectAtByStrict(CPDF_IndirectObjects* pO m_Syntax.RestorePos(SavedPos); return NULL; } - FX_DWORD real_objnum = FXSYS_atoi(word); - if (objnum && real_objnum != objnum) { + FX_DWORD parser_objnum = FXSYS_atoi(word); + if (objnum && parser_objnum != objnum) { m_Syntax.RestorePos(SavedPos); return NULL; } @@ -3466,8 +3468,8 @@ CPDF_Object * CPDF_DataAvail::ParseIndirectObjectAt(FX_FILESIZE pos, FX_DWORD ob if (!bIsNumber) { return NULL; } - FX_DWORD real_objnum = FXSYS_atoi(word); - if (objnum && real_objnum != objnum) { + FX_DWORD parser_objnum = FXSYS_atoi(word); + if (objnum && parser_objnum != objnum) { return NULL; } word = m_syntaxParser.GetNextWord(bIsNumber); diff --git a/core/src/fxcrt/fx_basic_gcc.cpp b/core/src/fxcrt/fx_basic_gcc.cpp index 7f5bbade66..93c71ce660 100644 --- a/core/src/fxcrt/fx_basic_gcc.cpp +++ b/core/src/fxcrt/fx_basic_gcc.cpp @@ -4,6 +4,7 @@ // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com +#include #include "../../include/fxcrt/fx_ext.h" template T FXSYS_StrToInt(STR_T str) @@ -21,6 +22,9 @@ T FXSYS_StrToInt(STR_T str) if ((*str) < '0' || (*str) > '9') { break; } + if (num > (std::numeric_limits::max() - 9) / 10) { + break; + } num = num * 10 + (*str) - '0'; str ++; } -- cgit v1.2.3