From e96e6fdddaffa2b4b82df4d4d551333939fb78c9 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Tue, 3 Apr 2018 15:02:37 +0000
Subject: Off-by-one in CPDF_StreamParser::ParseNextElement()

Limit the token to 255 bytes + NUL.  Also, shuffle fields in
cpdf_streamparser to allow memory tools to better check this
inline array.

Bug: 828049
Change-Id: I444f2b4c6958167577d9cd76c06805baf7d5c26c
Reviewed-on: https://pdfium-review.googlesource.com/29530
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
---
 core/fpdfapi/page/cpdf_streamparser.cpp | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

(limited to 'core/fpdfapi/page/cpdf_streamparser.cpp')

diff --git a/core/fpdfapi/page/cpdf_streamparser.cpp b/core/fpdfapi/page/cpdf_streamparser.cpp
index 71c8c8d29a..3b6d12038f 100644
--- a/core/fpdfapi/page/cpdf_streamparser.cpp
+++ b/core/fpdfapi/page/cpdf_streamparser.cpp
@@ -33,7 +33,6 @@
 namespace {
 
 const uint32_t kMaxNestedParsingLevel = 512;
-const uint32_t kMaxWordBuffer = 256;
 const size_t kMaxStringLength = 32767;
 
 uint32_t DecodeAllScanlines(std::unique_ptr<CCodec_ScanlineDecoder> pDecoder,
@@ -103,12 +102,12 @@ uint32_t DecodeInlineStream(const uint8_t* src_buf,
 }  // namespace
 
 CPDF_StreamParser::CPDF_StreamParser(const uint8_t* pData, uint32_t dwSize)
-    : m_pBuf(pData), m_Size(dwSize), m_Pos(0), m_pPool(nullptr) {}
+    : m_Size(dwSize), m_Pos(0), m_WordSize(0), m_pBuf(pData) {}
 
 CPDF_StreamParser::CPDF_StreamParser(const uint8_t* pData,
                                      uint32_t dwSize,
                                      const WeakPtr<ByteStringPool>& pPool)
-    : m_pBuf(pData), m_Size(dwSize), m_Pos(0), m_pPool(pPool) {}
+    : m_Size(dwSize), m_Pos(0), m_WordSize(0), m_pBuf(pData), m_pPool(pPool) {}
 
 CPDF_StreamParser::~CPDF_StreamParser() {}
 
@@ -257,7 +256,7 @@ CPDF_StreamParser::SyntaxType CPDF_StreamParser::ParseNextElement() {
 
   bool bIsNumber = true;
   while (1) {
-    if (m_WordSize < kMaxWordBuffer)
+    if (m_WordSize < kMaxWordLength)
       m_WordBuffer[m_WordSize++] = ch;
 
     if (!PDFCharIsNumeric(ch))
@@ -424,8 +423,7 @@ void CPDF_StreamParser::GetNextWord(bool& bIsNumber) {
           m_Pos--;
           return;
         }
-
-        if (m_WordSize < kMaxWordBuffer)
+        if (m_WordSize < kMaxWordLength)
           m_WordBuffer[m_WordSize++] = ch;
       }
     } else if (ch == '<') {
@@ -449,13 +447,13 @@ void CPDF_StreamParser::GetNextWord(bool& bIsNumber) {
   }
 
   while (1) {
-    if (m_WordSize < kMaxWordBuffer)
+    if (m_WordSize < kMaxWordLength)
       m_WordBuffer[m_WordSize++] = ch;
     if (!PDFCharIsNumeric(ch))
       bIsNumber = false;
-
     if (!PositionIsInBounds())
       return;
+
     ch = m_pBuf[m_Pos++];
     if (PDFCharIsDelimiter(ch) || PDFCharIsWhitespace(ch)) {
       m_Pos--;
-- 
cgit v1.2.3