From 97db69faaeb4f8481f9d8824bff644509949cb0d Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Thu, 24 May 2018 20:10:22 +0000
Subject: CPDF_HintTables should not try to read 0 bits.

CFX_BitStream::GetBits() got refactored recently, with an assert to not
read 0 bits. A fuzzer then discovered code that is trying to do that.

BUG=chromium:846394

Change-Id: Ib18b47200c82aab369109b5911540db724172690
Reviewed-on: https://pdfium-review.googlesource.com/32934
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
---
 core/fpdfapi/parser/cpdf_hint_tables.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/fpdfapi/parser/cpdf_hint_tables.cpp b/core/fpdfapi/parser/cpdf_hint_tables.cpp
index 123e6594c1..9cd72c7815 100644
--- a/core/fpdfapi/parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/parser/cpdf_hint_tables.cpp
@@ -294,8 +294,8 @@ bool CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream,
   uint32_t dwDeltaGroupLen = hStream->GetBits(16);
 
   // Trying to decode more than 32 bits isn't going to work when we write into
-  // a uint32_t.
-  if (dwDeltaGroupLen > 31)
+  // a uint32_t. Decoding 0 bits also makes no sense.
+  if (!IsValidPageOffsetHintTableBitCount(dwDeltaGroupLen))
     return false;
 
   if (dwFirstSharedObjNum >= CPDF_Parser::kMaxObjectNumber ||
-- 
cgit v1.2.3