From 552f1ec14f94c09fce4126b5e72d3c02c150ab35 Mon Sep 17 00:00:00 2001
From: Artem Strygin <art-snake@yandex-team.ru>
Date: Mon, 30 Jul 2018 16:30:28 +0000
Subject: Check maximum bit count of shared group object numbers.

Bug: chromium:868477
Change-Id: I5957c5ef051bc4fa8eb51efa6a7fc142996742c5
Reviewed-on: https://pdfium-review.googlesource.com/39130
Commit-Queue: Art Snake <art-snake@yandex-team.ru>
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
---
 core/fpdfapi/parser/cpdf_hint_tables.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/core/fpdfapi/parser/cpdf_hint_tables.cpp b/core/fpdfapi/parser/cpdf_hint_tables.cpp
index 8d8aa3263a..71fb6e2843 100644
--- a/core/fpdfapi/parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/parser/cpdf_hint_tables.cpp
@@ -252,6 +252,8 @@ bool CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream,
   // Item 5: The number of bits needed to represent the greatest number of
   // objects in a shared object group.
   uint32_t dwSharedObjNumBits = hStream->GetBits(16);
+  if (dwSharedObjNumBits > 32)
+    return false;
 
   // Item 6: The least length of a shared object group in bytes.
   uint32_t dwGroupLeastLen = hStream->GetBits(32);
-- 
cgit v1.2.3