From f3a3393a2f96bb8c4cc275ee67921e2b7bddf540 Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Mon, 6 Aug 2018 18:25:03 +0000 Subject: Avoid invalid object numbers in CPDF_Parser::LoadCrossRefV5(). BUG=chromium:865272 Change-Id: I4606bdfd78ebd6553c36b985b4f49d07b579ac40 Reviewed-on: https://pdfium-review.googlesource.com/39438 Commit-Queue: Lei Zhang Reviewed-by: Art Snake --- core/fpdfapi/parser/cpdf_parser.cpp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp index e070d2f733..9bb9bf22d7 100644 --- a/core/fpdfapi/parser/cpdf_parser.cpp +++ b/core/fpdfapi/parser/cpdf_parser.cpp @@ -757,14 +757,18 @@ bool CPDF_Parser::LoadCrossRefV5(FX_FILESIZE* pos, bool bMainXRef) { } const uint32_t objnum = startnum + i; - if (GetObjectType(objnum) == ObjectType::kNull) { + if (objnum >= CPDF_Parser::kMaxObjectNumber) + continue; + + const ObjectType existing_type = GetObjectType(objnum); + if (existing_type == ObjectType::kNull) { uint32_t offset = GetVarInt(entrystart + WidthArray[0], WidthArray[1]); if (pdfium::base::IsValueInRangeForNumericType(offset)) m_CrossRefTable->AddNormal(objnum, 0, offset); continue; } - if (GetObjectType(objnum) != ObjectType::kFree) + if (existing_type != ObjectType::kFree) continue; if (type == ObjectType::kFree) { -- cgit v1.2.3