From f3a3393a2f96bb8c4cc275ee67921e2b7bddf540 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Mon, 6 Aug 2018 18:25:03 +0000
Subject: Avoid invalid object numbers in CPDF_Parser::LoadCrossRefV5().

BUG=chromium:865272

Change-Id: I4606bdfd78ebd6553c36b985b4f49d07b579ac40
Reviewed-on: https://pdfium-review.googlesource.com/39438
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Art Snake <art-snake@yandex-team.ru>
---
 core/fpdfapi/parser/cpdf_parser.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp
index e070d2f733..9bb9bf22d7 100644
--- a/core/fpdfapi/parser/cpdf_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_parser.cpp
@@ -757,14 +757,18 @@ bool CPDF_Parser::LoadCrossRefV5(FX_FILESIZE* pos, bool bMainXRef) {
       }
 
       const uint32_t objnum = startnum + i;
-      if (GetObjectType(objnum) == ObjectType::kNull) {
+      if (objnum >= CPDF_Parser::kMaxObjectNumber)
+        continue;
+
+      const ObjectType existing_type = GetObjectType(objnum);
+      if (existing_type == ObjectType::kNull) {
         uint32_t offset = GetVarInt(entrystart + WidthArray[0], WidthArray[1]);
         if (pdfium::base::IsValueInRangeForNumericType<FX_FILESIZE>(offset))
           m_CrossRefTable->AddNormal(objnum, 0, offset);
         continue;
       }
 
-      if (GetObjectType(objnum) != ObjectType::kFree)
+      if (existing_type != ObjectType::kFree)
         continue;
 
       if (type == ObjectType::kFree) {
-- 
cgit v1.2.3