From abf16c0682a545db4e9bae5510dd398a6ae634a3 Mon Sep 17 00:00:00 2001
From: dan sinclair <dsinclair@chromium.org>
Date: Tue, 4 Apr 2017 20:11:11 -0400
Subject: Use correct length in guard check

When fixing https://crbug.com/672177 we added a guard that we aren't
reading off the end of the file. That guard used the file access
Position(). This is the wrong value to compare against as our read
position and the file access Position may be different. This CL updates
the check to use the correct current file position.

Bug: pdfium:697
Change-Id: I68a5eaed2f1f3d65422605f0a8474144cfa7d172
Reviewed-on: https://pdfium-review.googlesource.com/3711
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 core/fpdfapi/parser/cpdf_syntax_parser.cpp | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/core/fpdfapi/parser/cpdf_syntax_parser.cpp b/core/fpdfapi/parser/cpdf_syntax_parser.cpp
index 67c0977cfe..6ffd641aa8 100644
--- a/core/fpdfapi/parser/cpdf_syntax_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_syntax_parser.cpp
@@ -724,11 +724,10 @@ std::unique_ptr<CPDF_Stream> CPDF_SyntaxParser::ReadStream(
     }
     m_Pos = streamStartPos;
   }
-  if (len < 0)
-    return nullptr;
 
-  // If the length is longer then the remaining buffer giveup.
-  if (len > m_pFileAccess->GetSize() - m_pFileAccess->GetPosition())
+  // Read up to the end of the buffer.
+  std::min(len, m_FileLen - m_Pos - m_HeaderOffset);
+  if (len <= 0)
     return nullptr;
 
   std::unique_ptr<uint8_t, FxFreeDeleter> pData;
-- 
cgit v1.2.3