From 43c195016f9c2e38654a484f9472c138b92d3ec3 Mon Sep 17 00:00:00 2001
From: Dan Sinclair <dsinclair@chromium.org>
Date: Mon, 27 Mar 2017 10:54:07 -0400
Subject: Guard against lengths greater then input size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If we get a requested length that is longer then the available buffer
size we bail as we won't be able to read the needed data anyway.

Bug: chromium:672177
Change-Id: Idb41671c07fe758ec0c1d4d6f84ead0a58fa8339
Reviewed-on: https://pdfium-review.googlesource.com/3221
Reviewed-by: Nicolás Peña <npm@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
---
 core/fpdfapi/parser/cpdf_syntax_parser.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/core/fpdfapi/parser/cpdf_syntax_parser.cpp b/core/fpdfapi/parser/cpdf_syntax_parser.cpp
index 2a0bf360fc..54fb89a48b 100644
--- a/core/fpdfapi/parser/cpdf_syntax_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_syntax_parser.cpp
@@ -727,6 +727,10 @@ std::unique_ptr<CPDF_Stream> CPDF_SyntaxParser::ReadStream(
   if (len < 0)
     return nullptr;
 
+  // If the length is longer then the remaining buffer giveup.
+  if (len > m_pFileAccess->GetSize() - m_pFileAccess->GetPosition())
+    return nullptr;
+
   std::unique_ptr<uint8_t, FxFreeDeleter> pData;
   if (len > 0) {
     pData.reset(FX_Alloc(uint8_t, len));
-- 
cgit v1.2.3