From 478c226d70fa560d558d459234e684c47d0d3fe5 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Tue, 21 Mar 2017 14:06:04 -0400
Subject: Pop when Pages is malformed and has no kids
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If the Kids array for the Pages dictionary does not exist, just treat this
dictionary as the unique page in the document.

BUG=chromium:702883

Change-Id: I9cb9645a53d60306ffe563f9b27cbbd37442f4ec
Reviewed-on: https://pdfium-review.googlesource.com/3135
Commit-Queue: Nicolás Peña <npm@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 core/fpdfapi/parser/cpdf_document.cpp          |  1 +
 core/fpdfapi/parser/cpdf_document_unittest.cpp | 29 ++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/core/fpdfapi/parser/cpdf_document.cpp b/core/fpdfapi/parser/cpdf_document.cpp
index c047085cf3..dec0f5097e 100644
--- a/core/fpdfapi/parser/cpdf_document.cpp
+++ b/core/fpdfapi/parser/cpdf_document.cpp
@@ -406,6 +406,7 @@ CPDF_Dictionary* CPDF_Document::TraversePDFPages(int iPage,
   CPDF_Dictionary* pPages = m_pTreeTraversal[level].first;
   CPDF_Array* pKidList = pPages->GetArrayFor("Kids");
   if (!pKidList) {
+    m_pTreeTraversal.pop_back();
     if (*nPagesToGo != 1)
       return nullptr;
     m_PageList[iPage] = pPages->GetObjNum();
diff --git a/core/fpdfapi/parser/cpdf_document_unittest.cpp b/core/fpdfapi/parser/cpdf_document_unittest.cpp
index 379ca047a1..f052af3aec 100644
--- a/core/fpdfapi/parser/cpdf_document_unittest.cpp
+++ b/core/fpdfapi/parser/cpdf_document_unittest.cpp
@@ -12,6 +12,7 @@
 #include "core/fpdfapi/parser/cpdf_boolean.h"
 #include "core/fpdfapi/parser/cpdf_dictionary.h"
 #include "core/fpdfapi/parser/cpdf_linearized_header.h"
+#include "core/fpdfapi/parser/cpdf_name.h"
 #include "core/fpdfapi/parser/cpdf_number.h"
 #include "core/fpdfapi/parser/cpdf_parser.h"
 #include "core/fpdfapi/parser/cpdf_reference.h"
@@ -131,6 +132,23 @@ class TestLinearized : public CPDF_LinearizedHeader {
   explicit TestLinearized(CPDF_Dictionary* dict)
       : CPDF_LinearizedHeader(dict) {}
 };
+
+class CPDF_TestDocPagesWithoutKids : public CPDF_Document {
+ public:
+  CPDF_TestDocPagesWithoutKids() : CPDF_Document(nullptr) {
+    CPDF_Dictionary* pagesDict = NewIndirect<CPDF_Dictionary>();
+    pagesDict->SetNewFor<CPDF_Name>("Type", "Pages");
+    pagesDict->SetNewFor<CPDF_Number>("Count", 3);
+    m_PageList.resize(10);
+    m_pOwnedRootDict = pdfium::MakeUnique<CPDF_Dictionary>();
+    m_pOwnedRootDict->SetNewFor<CPDF_Reference>("Pages", this,
+                                                pagesDict->GetObjNum());
+    m_pRootDict = m_pOwnedRootDict.get();
+  }
+
+ private:
+  std::unique_ptr<CPDF_Dictionary> m_pOwnedRootDict;
+};
 }  // namespace
 
 class cpdf_document_test : public testing::Test {
@@ -237,3 +255,14 @@ TEST_F(cpdf_document_test, CountGreaterThanPageTree) {
     EXPECT_FALSE(document->GetPage(i));
   EXPECT_TRUE(document->GetPage(kNumTestPages - 1));
 }
+
+TEST_F(cpdf_document_test, PagesWithoutKids) {
+  // Set up a document with Pages dict without kids, and Count = 3
+  auto pDoc = pdfium::MakeUnique<CPDF_TestDocPagesWithoutKids>();
+  EXPECT_TRUE(pDoc->GetPage(0));
+  // Test GetPage does not fetch pages out of range
+  for (int i = 1; i < 5; i++)
+    EXPECT_FALSE(pDoc->GetPage(i));
+
+  EXPECT_TRUE(pDoc->GetPage(0));
+}
-- 
cgit v1.2.3