From 7c694a4632dc3b11e26d66a44e598a211913d02a Mon Sep 17 00:00:00 2001
From: Artem Strygin <art-snake@yandex-team.ru>
Date: Wed, 11 Jul 2018 16:25:14 +0000
Subject: Fix crash and memory leak.

Do not return size within CPDF_StreamAcc in case when read
data failed.
Also free buffers in this case.

Bug: chromium:860210
Change-Id: Ifb2a061d7c8427409b68c33f213c5c55343fb946
Reviewed-on: https://pdfium-review.googlesource.com/37310
Reviewed-by: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: Art Snake <art-snake@yandex-team.ru>
---
 core/fpdfapi/parser/cpdf_stream_acc.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'core/fpdfapi/parser/cpdf_stream_acc.cpp')

diff --git a/core/fpdfapi/parser/cpdf_stream_acc.cpp b/core/fpdfapi/parser/cpdf_stream_acc.cpp
index 1734b0ddcb..18d0b35107 100644
--- a/core/fpdfapi/parser/cpdf_stream_acc.cpp
+++ b/core/fpdfapi/parser/cpdf_stream_acc.cpp
@@ -38,8 +38,11 @@ void CPDF_StreamAcc::LoadAllData(bool bRawAccess,
     pSrcData = m_pStream->GetInMemoryRawData();
   } else {
     pSrcData = m_pSrcData = FX_Alloc(uint8_t, dwSrcSize);
-    if (!m_pStream->ReadRawData(0, pSrcData, dwSrcSize))
+    if (!m_pStream->ReadRawData(0, pSrcData, dwSrcSize)) {
+      FX_Free(pSrcData);
+      pSrcData = m_pSrcData = nullptr;
       return;
+    }
   }
   if (bProcessRawData) {
     m_pData = pSrcData;
@@ -77,7 +80,8 @@ uint8_t* CPDF_StreamAcc::GetData() const {
 uint32_t CPDF_StreamAcc::GetSize() const {
   if (m_bNewBuf)
     return m_dwSize;
-  return m_pStream ? m_pStream->GetRawSize() : 0;
+  return (m_pStream && m_pStream->IsMemoryBased()) ? m_pStream->GetRawSize()
+                                                   : 0;
 }
 
 std::unique_ptr<uint8_t, FxFreeDeleter> CPDF_StreamAcc::DetachData() {
-- 
cgit v1.2.3