From c18ffca5a35ab4b2218fadcca4006b3ea09e7875 Mon Sep 17 00:00:00 2001 From: thestig Date: Thu, 11 Aug 2016 09:39:29 -0700 Subject: Relax a check in CPDF_HintTables. CPDF_HintTables::ReadSharedObjHintTable() unnecessarily constraints a FX_FILESIZE value to an int32_t. Relax this check, since the result will be stored in |m_szSharedObjOffsetArray| which is of FX_FILESIZE. Bad values in |m_szSharedObjOffsetArray| will still cause hint table loading to eventually fail. BUG=635565 Review-Url: https://codereview.chromium.org/2230883003 --- core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp index fd723a8fa8..63a64a3026 100644 --- a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp +++ b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp @@ -296,13 +296,16 @@ FX_BOOL CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream, m_dwSharedObjNumArray.Add(safeObjNum.ValueOrDie()); if (i == m_nFirstPageSharedObjs) { - m_szSharedObjOffsetArray.push_back( - pdfium::base::checked_cast(dwFirstSharedObjLoc)); + FX_SAFE_FILESIZE safeLoc = dwFirstSharedObjLoc; + if (!safeLoc.IsValid()) + return FALSE; + + m_szSharedObjOffsetArray.push_back(safeLoc.ValueOrDie()); } } if (i != 0 && i != m_nFirstPageSharedObjs) { - FX_SAFE_INT32 safeLoc = pdfium::base::checked_cast(dwPrevObjLen); + FX_SAFE_FILESIZE safeLoc = dwPrevObjLen; safeLoc += m_szSharedObjOffsetArray[i - 1]; if (!safeLoc.IsValid()) return FALSE; @@ -312,7 +315,7 @@ FX_BOOL CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream, } if (dwSharedObjTotal > 0) { - FX_SAFE_INT32 safeLoc = pdfium::base::checked_cast(dwCurObjLen); + FX_SAFE_FILESIZE safeLoc = dwCurObjLen; safeLoc += m_szSharedObjOffsetArray[dwSharedObjTotal - 1]; if (!safeLoc.IsValid()) return FALSE; -- cgit v1.2.3