From a032f7f79c67ddef4db0f44fca8f0d245bfb8e82 Mon Sep 17 00:00:00 2001
From: thestig <thestig@chromium.org>
Date: Mon, 29 Aug 2016 10:05:27 -0700
Subject: Add some limit checks to ReadSharedObjHintTable().

BUG=641444

Review-Url: https://codereview.chromium.org/2283893003
---
 core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp  | 6 ++++++
 core/fpdfapi/fpdf_parser/cpdf_parser.cpp       | 4 ----
 core/fpdfapi/fpdf_parser/include/cpdf_parser.h | 6 ++++--
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
index 4363d3924c..fd8765a2d2 100644
--- a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
@@ -278,6 +278,12 @@ bool CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream,
   // greatest and least length of a shared object group, in bytes.
   uint32_t dwDeltaGroupLen = hStream->GetBits(16);
 
+  if (dwFirstSharedObjNum >= CPDF_Parser::kMaxObjectNumber ||
+      m_nFirstPageSharedObjs >= CPDF_Parser::kMaxObjectNumber ||
+      dwSharedObjTotal >= CPDF_Parser::kMaxObjectNumber) {
+    return false;
+  }
+
   int nFirstPageObjNum = GetFirstPageObjectNumber();
   if (nFirstPageObjNum < 0)
     return false;
diff --git a/core/fpdfapi/fpdf_parser/cpdf_parser.cpp b/core/fpdfapi/fpdf_parser/cpdf_parser.cpp
index 9d26104caa..bd6c8648e0 100644
--- a/core/fpdfapi/fpdf_parser/cpdf_parser.cpp
+++ b/core/fpdfapi/fpdf_parser/cpdf_parser.cpp
@@ -29,10 +29,6 @@ namespace {
 // this may be large enough in practice.
 const int32_t kMaxXRefSize = 1048576;
 
-// A limit on the maximum object number in the xref table. Theoretical limits
-// are higher, but this may be large enough in practice.
-const uint32_t kMaxObjectNumber = 1048576;
-
 uint32_t GetVarInt(const uint8_t* p, int32_t n) {
   uint32_t result = 0;
   for (int32_t i = 0; i < n; ++i)
diff --git a/core/fpdfapi/fpdf_parser/include/cpdf_parser.h b/core/fpdfapi/fpdf_parser/include/cpdf_parser.h
index 3d2408fad1..5d6d6f93fc 100644
--- a/core/fpdfapi/fpdf_parser/include/cpdf_parser.h
+++ b/core/fpdfapi/fpdf_parser/include/cpdf_parser.h
@@ -34,6 +34,10 @@ class CPDF_Parser {
     HANDLER_ERROR
   };
 
+  // A limit on the maximum object number in the xref table. Theoretical limits
+  // are higher, but this may be large enough in practice.
+  static const uint32_t kMaxObjectNumber = 1048576;
+
   CPDF_Parser();
   ~CPDF_Parser();
 
@@ -170,8 +174,6 @@ class CPDF_Parser {
 
   // All indirect object numbers that are being parsed.
   std::set<uint32_t> m_ParsingObjNums;
-
-
 };
 
 #endif  // CORE_FPDFAPI_FPDF_PARSER_INCLUDE_CPDF_PARSER_H_
-- 
cgit v1.2.3