From 661008dde7356ee2ed69787125863539b73b041c Mon Sep 17 00:00:00 2001 From: npm Date: Mon, 9 Jan 2017 07:52:30 -0800 Subject: Do not parse references with invalid objnum We should not have valid objects where the object number is CPDF_Object::kInvalidObjNum. BUG=pdfium:609 Review-Url: https://codereview.chromium.org/2610393004 --- core/fpdfapi/parser/cpdf_reference.cpp | 2 +- core/fpdfapi/parser/cpdf_reference.h | 2 +- core/fpdfapi/parser/cpdf_syntax_parser.cpp | 12 ++++++++---- core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp | 11 +++++++++++ 4 files changed, 21 insertions(+), 6 deletions(-) diff --git a/core/fpdfapi/parser/cpdf_reference.cpp b/core/fpdfapi/parser/cpdf_reference.cpp index 8f44aa0200..67b67c24dd 100644 --- a/core/fpdfapi/parser/cpdf_reference.cpp +++ b/core/fpdfapi/parser/cpdf_reference.cpp @@ -10,7 +10,7 @@ #include "third_party/base/ptr_util.h" #include "third_party/base/stl_util.h" -CPDF_Reference::CPDF_Reference(CPDF_IndirectObjectHolder* pDoc, int objnum) +CPDF_Reference::CPDF_Reference(CPDF_IndirectObjectHolder* pDoc, uint32_t objnum) : m_pObjList(pDoc), m_RefObjNum(objnum) {} CPDF_Reference::~CPDF_Reference() {} diff --git a/core/fpdfapi/parser/cpdf_reference.h b/core/fpdfapi/parser/cpdf_reference.h index 5597142b95..be7f18478e 100644 --- a/core/fpdfapi/parser/cpdf_reference.h +++ b/core/fpdfapi/parser/cpdf_reference.h @@ -16,7 +16,7 @@ class CPDF_IndirectObjectHolder; class CPDF_Reference : public CPDF_Object { public: - CPDF_Reference(CPDF_IndirectObjectHolder* pDoc, int objnum); + CPDF_Reference(CPDF_IndirectObjectHolder* pDoc, uint32_t objnum); ~CPDF_Reference() override; // CPDF_Object: diff --git a/core/fpdfapi/parser/cpdf_syntax_parser.cpp b/core/fpdfapi/parser/cpdf_syntax_parser.cpp index 48d77c2cbd..1b81b98c96 100644 --- a/core/fpdfapi/parser/cpdf_syntax_parser.cpp +++ b/core/fpdfapi/parser/cpdf_syntax_parser.cpp @@ -386,8 +386,10 @@ std::unique_ptr CPDF_SyntaxParser::GetObject( if (bIsNumber) { CFX_ByteString nextword2 = GetNextWord(nullptr); if (nextword2 == "R") { - return pdfium::MakeUnique(pObjList, - FXSYS_atoui(word.c_str())); + uint32_t objnum = FXSYS_atoui(word.c_str()); + if (objnum == CPDF_Object::kInvalidObjNum) + return nullptr; + return pdfium::MakeUnique(pObjList, objnum); } } m_Pos = SavedPos; @@ -505,8 +507,10 @@ std::unique_ptr CPDF_SyntaxParser::GetObjectForStrict( if (bIsNumber) { CFX_ByteString nextword2 = GetNextWord(nullptr); if (nextword2 == "R") { - return pdfium::MakeUnique(pObjList, - FXSYS_atoui(word.c_str())); + uint32_t objnum = FXSYS_atoui(word.c_str()); + if (objnum == CPDF_Object::kInvalidObjNum) + return nullptr; + return pdfium::MakeUnique(pObjList, objnum); } } m_Pos = SavedPos; diff --git a/core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp b/core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp index faaa83dd19..64c33ba9cd 100644 --- a/core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp +++ b/core/fpdfapi/parser/cpdf_syntax_parser_unittest.cpp @@ -5,6 +5,7 @@ #include #include +#include "core/fpdfapi/parser/cpdf_object.h" #include "core/fpdfapi/parser/cpdf_parser.h" #include "core/fpdfapi/parser/cpdf_syntax_parser.h" #include "core/fxcrt/fx_ext.h" @@ -143,3 +144,13 @@ TEST(cpdf_syntax_parser, ReadHexString) { EXPECT_EQ(1, parser.SavePos()); } } + +TEST(cpdf_syntax_parser, GetInvalidReference) { + CPDF_SyntaxParser parser; + // Data with a reference with number CPDF_Object::kInvalidObjNum + uint8_t data[] = "4294967295 0 R"; + parser.InitParser(IFX_MemoryStream::Create(data, 14, false), 0); + std::unique_ptr ref = + parser.GetObject(nullptr, CPDF_Object::kInvalidObjNum, 0, false); + EXPECT_FALSE(ref); +} -- cgit v1.2.3