From 486f141ed1fa5b92f59d403c4b549ede2ea1a2c8 Mon Sep 17 00:00:00 2001
From: Dan Sinclair <dsinclair@chromium.org>
Date: Mon, 8 May 2017 14:16:51 -0400
Subject: Check bits to decode will fit before decoding

When decoding the CPDF_HintTable we read the dwDeltaGroupLen value out
of the input stream which is a 16bit number. That value is then passed
in to read a uint32_t of the object number. If we have a group length of
> 32 bits we'll cause an undefined shift when we attempt to shift right
more then 32 bits.

This Cl bails out early if the dwDeltaGroupLen value is > 32 in order to
stop the undefined shifts.

Bug: chromium:718505
Change-Id: I919d6f4cd19826094a5e44d3a65d758029f5c236
Reviewed-on: https://pdfium-review.googlesource.com/5090
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
---
 core/fpdfapi/parser/cpdf_hint_tables.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/core/fpdfapi/parser/cpdf_hint_tables.cpp b/core/fpdfapi/parser/cpdf_hint_tables.cpp
index 24abf5dd13..6a84143f9e 100644
--- a/core/fpdfapi/parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/parser/cpdf_hint_tables.cpp
@@ -290,6 +290,11 @@ bool CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream,
   // greatest and least length of a shared object group, in bytes.
   uint32_t dwDeltaGroupLen = hStream->GetBits(16);
 
+  // Trying to decode more than 32 bits isn't going to work when we write into
+  // a uint32_t.
+  if (dwDeltaGroupLen > 31)
+    return false;
+
   if (dwFirstSharedObjNum >= CPDF_Parser::kMaxObjectNumber ||
       m_nFirstPageSharedObjs >= CPDF_Parser::kMaxObjectNumber ||
       dwSharedObjTotal >= CPDF_Parser::kMaxObjectNumber) {
-- 
cgit v1.2.3