From 98a44a176d137083434587fb5ebc53c6d963ff7f Mon Sep 17 00:00:00 2001 From: Chris Palmer Date: Fri, 18 Jul 2014 15:18:43 -0700 Subject: Fix the potential integer overflow from "offset + size". BUG=382667 R=jschuh@chromium.org, jun_fang@foxitsoftware.com Review URL: https://codereview.chromium.org/390983007 --- .../src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 24 +++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp index f82bf3a861..14597d989c 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp @@ -2864,13 +2864,27 @@ FX_BOOL CPDF_DataAvail::IsObjectsAvail(CFX_PtrArray& obj_array, FX_BOOL bParsePa CPDF_Reference *pRef = (CPDF_Reference*)pObj; FX_DWORD dwNum = pRef->GetRefObjNum(); FX_FILESIZE offset; - FX_DWORD size = GetObjectSize(pRef->GetRefObjNum(), offset); - if (!size) { + FX_DWORD original_size = GetObjectSize(dwNum, offset); + base::CheckedNumeric size = original_size; + if (size.ValueOrDefault(0) == 0 || offset < 0 || offset >= m_dwFileLen) { break; } - size = (FX_DWORD)((FX_FILESIZE)(offset + size + 512) > m_dwFileLen ? m_dwFileLen - offset : size + 512); - if (!m_pFileAvail->IsDataAvail(offset, size)) { - pHints->AddSegment(offset, size); + + size += offset; + size += 512; + if (!size.IsValid()) { + break; + } + if (size.ValueOrDie() > m_dwFileLen) { + size = m_dwFileLen - offset; + } else { + size = original_size + 512; + } + if (!size.IsValid()) { + break; + } + if (!m_pFileAvail->IsDataAvail(offset, size.ValueOrDie())) { + pHints->AddSegment(offset, size.ValueOrDie()); ret_array.Add(pObj); count++; } else if (!m_objnum_array.Find(dwNum)) { -- cgit v1.2.3