From a032f7f79c67ddef4db0f44fca8f0d245bfb8e82 Mon Sep 17 00:00:00 2001
From: thestig <thestig@chromium.org>
Date: Mon, 29 Aug 2016 10:05:27 -0700
Subject: Add some limit checks to ReadSharedObjHintTable().

BUG=641444

Review-Url: https://codereview.chromium.org/2283893003
---
 core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp')

diff --git a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
index 4363d3924c..fd8765a2d2 100644
--- a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
@@ -278,6 +278,12 @@ bool CPDF_HintTables::ReadSharedObjHintTable(CFX_BitStream* hStream,
   // greatest and least length of a shared object group, in bytes.
   uint32_t dwDeltaGroupLen = hStream->GetBits(16);
 
+  if (dwFirstSharedObjNum >= CPDF_Parser::kMaxObjectNumber ||
+      m_nFirstPageSharedObjs >= CPDF_Parser::kMaxObjectNumber ||
+      dwSharedObjTotal >= CPDF_Parser::kMaxObjectNumber) {
+    return false;
+  }
+
   int nFirstPageObjNum = GetFirstPageObjectNumber();
   if (nFirstPageObjNum < 0)
     return false;
-- 
cgit v1.2.3