From 43c195016f9c2e38654a484f9472c138b92d3ec3 Mon Sep 17 00:00:00 2001 From: Dan Sinclair Date: Mon, 27 Mar 2017 10:54:07 -0400 Subject: Guard against lengths greater then input size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If we get a requested length that is longer then the available buffer size we bail as we won't be able to read the needed data anyway. Bug: chromium:672177 Change-Id: Idb41671c07fe758ec0c1d4d6f84ead0a58fa8339 Reviewed-on: https://pdfium-review.googlesource.com/3221 Reviewed-by: Nicolás Peña Commit-Queue: Nicolás Peña --- core/fpdfapi/parser/cpdf_syntax_parser.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/core/fpdfapi/parser/cpdf_syntax_parser.cpp b/core/fpdfapi/parser/cpdf_syntax_parser.cpp index 2a0bf360fc..54fb89a48b 100644 --- a/core/fpdfapi/parser/cpdf_syntax_parser.cpp +++ b/core/fpdfapi/parser/cpdf_syntax_parser.cpp @@ -727,6 +727,10 @@ std::unique_ptr CPDF_SyntaxParser::ReadStream( if (len < 0) return nullptr; + // If the length is longer then the remaining buffer giveup. + if (len > m_pFileAccess->GetSize() - m_pFileAccess->GetPosition()) + return nullptr; + std::unique_ptr pData; if (len > 0) { pData.reset(FX_Alloc(uint8_t, len)); -- cgit v1.2.3