From f0db33fa39b4497e1b275d0798c1def08741480f Mon Sep 17 00:00:00 2001
From: weili <weili@chromium.org>
Date: Wed, 11 May 2016 17:50:48 -0700
Subject: Revert "Reland of relax a couple checks to allow certain non-standard
 PDF files. (patchset #1 id:1 of https://codereview.chromium.org/1946693002/
 )"

This reverts commit a031357eaab7c934ac03717968cf78ff556c819b.

The reason to revert it is that some malformed or maliciously crafted PDF
files may cause crashes.

BUG=610973

Review-Url: https://codereview.chromium.org/1971013002
---
 .../fpdf_parser/cpdf_indirect_object_holder.cpp     |  20 ++++----------------
 core/fpdfapi/fpdf_parser/cpdf_parser.cpp            |   7 +------
 .../fpdf_parser/cpdf_parser_embeddertest.cpp        |  16 ----------------
 testing/resources/bug_596947.pdf                    | Bin 971 -> 0 bytes
 4 files changed, 5 insertions(+), 38 deletions(-)
 delete mode 100644 testing/resources/bug_596947.pdf

diff --git a/core/fpdfapi/fpdf_parser/cpdf_indirect_object_holder.cpp b/core/fpdfapi/fpdf_parser/cpdf_indirect_object_holder.cpp
index 4020b003bb..ef3395d3ae 100644
--- a/core/fpdfapi/fpdf_parser/cpdf_indirect_object_holder.cpp
+++ b/core/fpdfapi/fpdf_parser/cpdf_indirect_object_holder.cpp
@@ -6,7 +6,6 @@
 
 #include "core/fpdfapi/fpdf_parser/include/cpdf_indirect_object_holder.h"
 
-#include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h"
 #include "core/fpdfapi/fpdf_parser/include/cpdf_object.h"
 #include "core/fpdfapi/fpdf_parser/include/cpdf_parser.h"
 
@@ -25,28 +24,17 @@ CPDF_Object* CPDF_IndirectObjectHolder::GetIndirectObject(uint32_t objnum) {
   if (objnum == 0)
     return nullptr;
 
-  CPDF_Object* result_obj = nullptr;
   auto it = m_IndirectObjs.find(objnum);
-  if (it != m_IndirectObjs.end()) {
-    CPDF_Object* obj = it->second;
-    result_obj =
-        obj->GetObjNum() != CPDF_Object::kInvalidObjNum ? it->second : nullptr;
-    // Xref object is not used by the pdf document itself. Some software thus
-    // reuse an object number for xref object. So when we get an xref object,
-    // try again to see whether another object with the same number is defined.
-    // If so, use that object instead. See chromium:596947.
-    CPDF_Dictionary* dict =
-        obj->IsStream() ? obj->GetDict() : obj->AsDictionary();
-    if (!dict || dict->GetStringBy("Type") != "XRef")
-      return result_obj;
-  }
+  if (it != m_IndirectObjs.end())
+    return it->second->GetObjNum() != CPDF_Object::kInvalidObjNum ? it->second
+                                                                  : nullptr;
 
   if (!m_pParser)
     return nullptr;
 
   CPDF_Object* pObj = m_pParser->ParseIndirectObject(this, objnum);
   if (!pObj)
-    return result_obj;
+    return nullptr;
 
   pObj->m_ObjNum = objnum;
   m_LastObjNum = std::max(m_LastObjNum, objnum);
diff --git a/core/fpdfapi/fpdf_parser/cpdf_parser.cpp b/core/fpdfapi/fpdf_parser/cpdf_parser.cpp
index c66647846d..acf51de1ea 100644
--- a/core/fpdfapi/fpdf_parser/cpdf_parser.cpp
+++ b/core/fpdfapi/fpdf_parser/cpdf_parser.cpp
@@ -1077,13 +1077,8 @@ FX_BOOL CPDF_Parser::LoadCrossRefV5(FX_FILESIZE* pos, FX_BOOL bMainXRef) {
     FX_SAFE_UINT32 dwMaxObjNum = startnum;
     dwMaxObjNum += count;
     uint32_t dwV5Size = m_ObjectInfo.empty() ? 0 : GetLastObjNum() + 1;
-    if (!dwMaxObjNum.IsValid())
+    if (!dwMaxObjNum.IsValid() || dwMaxObjNum.ValueOrDie() > dwV5Size)
       continue;
-    // When the max object number is larger than the defined size, try to
-    // increase the size to accomodate more objects.
-    // Some software messes this up, see chromium:596947.
-    if (dwMaxObjNum.ValueOrDie() > dwV5Size)
-      ShrinkObjectMap(dwMaxObjNum.ValueOrDie());
 
     for (uint32_t j = 0; j < count; j++) {
       int32_t type = 1;
diff --git a/core/fpdfapi/fpdf_parser/cpdf_parser_embeddertest.cpp b/core/fpdfapi/fpdf_parser/cpdf_parser_embeddertest.cpp
index d070bd6a4c..042b221554 100644
--- a/core/fpdfapi/fpdf_parser/cpdf_parser_embeddertest.cpp
+++ b/core/fpdfapi/fpdf_parser/cpdf_parser_embeddertest.cpp
@@ -54,19 +54,3 @@ TEST_F(CPDFParserEmbeddertest, Bug_602650) {
   FPDFText_ClosePage(text_page);
   UnloadPage(page);
 }
-
-TEST_F(CPDFParserEmbeddertest, Bug_596947) {
-  // Test the case that the size of cross reference entries doesn't match with
-  // what is defined, and a certain case of reuse object number for cross
-  // reference object.
-  EXPECT_TRUE(OpenDocument("bug_596947.pdf"));
-  FPDF_PAGE page = LoadPage(0);
-  EXPECT_NE(nullptr, page);
-  FPDF_TEXTPAGE text_page = FPDFText_LoadPage(page);
-  EXPECT_NE(nullptr, text_page);
-  // The page should not be blank.
-  EXPECT_LT(0, FPDFText_CountChars(text_page));
-
-  FPDFText_ClosePage(text_page);
-  UnloadPage(page);
-}
diff --git a/testing/resources/bug_596947.pdf b/testing/resources/bug_596947.pdf
deleted file mode 100644
index b3cbd19bf2..0000000000
Binary files a/testing/resources/bug_596947.pdf and /dev/null differ
-- 
cgit v1.2.3