From 30688fb1c434b141380aa224da12e8246a8a78e1 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Wed, 18 Jul 2018 05:07:28 +0000
Subject: Do not add invalid objects to the cross reference table.

BUG=chromium:851994

Change-Id: I2e14401271c70afa204221e0f3d469f0b82ce8cf
Reviewed-on: https://pdfium-review.googlesource.com/37871
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Art Snake <art-snake@yandex-team.ru>
---
 core/fpdfapi/parser/cpdf_cross_ref_table.cpp | 17 +++++++++++++++++
 core/fpdfapi/parser/cpdf_parser.cpp          |  3 ++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/core/fpdfapi/parser/cpdf_cross_ref_table.cpp b/core/fpdfapi/parser/cpdf_cross_ref_table.cpp
index 4be91745d8..77c0e8136c 100644
--- a/core/fpdfapi/parser/cpdf_cross_ref_table.cpp
+++ b/core/fpdfapi/parser/cpdf_cross_ref_table.cpp
@@ -7,6 +7,7 @@
 #include <utility>
 
 #include "core/fpdfapi/parser/cpdf_dictionary.h"
+#include "core/fpdfapi/parser/cpdf_parser.h"
 
 // static
 std::unique_ptr<CPDF_CrossRefTable> CPDF_CrossRefTable::MergeUp(
@@ -31,6 +32,12 @@ CPDF_CrossRefTable::~CPDF_CrossRefTable() = default;
 
 void CPDF_CrossRefTable::AddCompressed(uint32_t obj_num,
                                        uint32_t archive_obj_num) {
+  if (obj_num >= CPDF_Parser::kMaxObjectNumber ||
+      archive_obj_num >= CPDF_Parser::kMaxObjectNumber) {
+    NOTREACHED();
+    return;
+  }
+
   auto& info = objects_info_[obj_num];
   if (info.gennum > 0)
     return;
@@ -48,6 +55,11 @@ void CPDF_CrossRefTable::AddCompressed(uint32_t obj_num,
 void CPDF_CrossRefTable::AddNormal(uint32_t obj_num,
                                    uint16_t gen_num,
                                    FX_FILESIZE pos) {
+  if (obj_num >= CPDF_Parser::kMaxObjectNumber) {
+    NOTREACHED();
+    return;
+  }
+
   auto& info = objects_info_[obj_num];
   if (info.gennum > gen_num)
     return;
@@ -63,6 +75,11 @@ void CPDF_CrossRefTable::AddNormal(uint32_t obj_num,
 }
 
 void CPDF_CrossRefTable::SetFree(uint32_t obj_num) {
+  if (obj_num >= CPDF_Parser::kMaxObjectNumber) {
+    NOTREACHED();
+    return;
+  }
+
   auto& info = objects_info_[obj_num];
   info.type = ObjectType::kFree;
   info.gennum = 0xFFFF;
diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp
index 54e05245a9..ecc0546de0 100644
--- a/core/fpdfapi/parser/cpdf_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_parser.cpp
@@ -777,7 +777,8 @@ bool CPDF_Parser::RebuildCrossRef() {
                     }
                   }
                 }
-                cross_ref_table->AddNormal(objnum, gennum, obj_pos);
+                if (objnum < kMaxObjectNumber)
+                  cross_ref_table->AddNormal(objnum, gennum, obj_pos);
               }
               state = ParserState::kDefault;
               break;
-- 
cgit v1.2.3