From e7ee98e4c6fd56c9e930194e9fc11cc10e8293a1 Mon Sep 17 00:00:00 2001
From: Chris Palmer <palmer@google.com>
Date: Tue, 8 Jul 2014 14:02:05 -0700
Subject: Fix for UMR in CXML_Parser::GetCharRef.

BUG=387822
R=jun_fang@foxitsoftware.com

Review URL: https://codereview.chromium.org/367383002
---
 AUTHORS                                            |  1 +
 .../src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 23 ++++++++++++----------
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/AUTHORS b/AUTHORS
index 0bbf65685a..29bd3998d0 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -22,6 +22,7 @@ Michael Doppler <m.doppler@gmail.com>
 Nico Weber <thakis@chromium.org>
 Raymes Khoury <raymes@chromium.org>
 Reid Kleckner <rnk@chromium.org>
+Robert Sesek <rsesek@chromium.org>
 
 Foxit Software Inc <*@foxitsoftware.com>
 Google Inc. <*@google.com>
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index 3bfd37fe4a..926117722f 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -7,6 +7,7 @@
 #include "../../../include/fpdfapi/fpdf_parser.h"
 #include "../../../include/fpdfapi/fpdf_module.h"
 #include "../../../include/fpdfapi/fpdf_page.h"
+#include "../../../../third_party/numerics/safe_math.h"
 #include "../fpdf_page/pageint.h"
 #include <limits.h>
 #define _PARSER_OBJECT_LEVLE_		64
@@ -2408,25 +2409,27 @@ CPDF_Stream* CPDF_SyntaxParser::ReadStream(CPDF_Dictionary* pDict, PARSE_CONTEXT
         FX_DWORD objnum, FX_DWORD gennum)
 {
     CPDF_Object* pLenObj = pDict->GetElement(FX_BSTRC("Length"));
-    FX_DWORD len = 0;
+    FX_FILESIZE len = 0;
     if (pLenObj && ((pLenObj->GetType() != PDFOBJ_REFERENCE) ||
                     ((((CPDF_Reference*)pLenObj)->GetObjList() != NULL) &&
                      ((CPDF_Reference*)pLenObj)->GetRefObjNum() != objnum))) {
-        FX_FILESIZE pos = m_Pos;
-        if (pLenObj) {
-            len = pLenObj->GetInteger();
-        }
-        m_Pos = pos;
-        if (len > 0x40000000) {
-            return NULL;
-        }
+        len = pLenObj->GetInteger();
     }
+
     ToNextLine();
     FX_FILESIZE StreamStartPos = m_Pos;
     if (pContext) {
         pContext->m_DataStart = m_Pos;
     }
-    m_Pos += len;
+
+    base::CheckedNumeric<FX_FILESIZE> pos = m_Pos;
+    pos += len;
+    if (pos.IsValid() && pos.ValueOrDie() < m_FileLen) {
+        m_Pos = pos.ValueOrDie();
+    } else {
+        return NULL;
+    }
+
     CPDF_CryptoHandler* pCryptoHandler = objnum == (FX_DWORD)m_MetadataObjnum ? NULL : m_pCryptoHandler;
     if (pCryptoHandler == NULL) {
         FX_FILESIZE SavedPos = m_Pos;
-- 
cgit v1.2.3