From 746babded81e9de3fc132fd670386382c031fa74 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Wed, 3 May 2017 12:35:59 -0400
Subject: SetPos to at most the file length to avoid overflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This CL prevents arbitrary position setting which may cause integer overflows.
In the bug in question, the PDF says the xrefs are located in a huge position.
This then causes problems when calling CPDF_SyntaxParser methods.

Bug: chromium:603545
Change-Id: I5f94c38f46a0217e9f12f1bf8b2f3bee3b03cb35
Reviewed-on: https://pdfium-review.googlesource.com/4813
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 core/fpdfapi/parser/cpdf_syntax_parser.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'core/fpdfapi/parser/cpdf_syntax_parser.h')

diff --git a/core/fpdfapi/parser/cpdf_syntax_parser.h b/core/fpdfapi/parser/cpdf_syntax_parser.h
index 9c2d84070d..f9a9bd9a8a 100644
--- a/core/fpdfapi/parser/cpdf_syntax_parser.h
+++ b/core/fpdfapi/parser/cpdf_syntax_parser.h
@@ -7,6 +7,7 @@
 #ifndef CORE_FPDFAPI_PARSER_CPDF_SYNTAX_PARSER_H_
 #define CORE_FPDFAPI_PARSER_CPDF_SYNTAX_PARSER_H_
 
+#include <algorithm>
 #include <memory>
 
 #include "core/fxcrt/cfx_string_pool_template.h"
@@ -29,8 +30,8 @@ class CPDF_SyntaxParser {
   void InitParser(const CFX_RetainPtr<IFX_SeekableReadStream>& pFileAccess,
                   uint32_t HeaderOffset);
 
-  FX_FILESIZE SavePos() const { return m_Pos; }
-  void RestorePos(FX_FILESIZE pos) { m_Pos = pos; }
+  FX_FILESIZE GetPos() const { return m_Pos; }
+  void SetPos(FX_FILESIZE pos) { m_Pos = std::min(pos, m_FileLen); }
 
   std::unique_ptr<CPDF_Object> GetObject(CPDF_IndirectObjectHolder* pObjList,
                                          uint32_t objnum,
-- 
cgit v1.2.3