From 219b3dab7e184bf8742f61527e37053b04903ff0 Mon Sep 17 00:00:00 2001 From: Tom Sepez Date: Thu, 5 Feb 2015 10:41:08 -0800 Subject: Fix segv in CPDF_DataAvail::CheckRoot() when /Root object is a string. Handles the case of this malformed PDF without crashing. Note that to get a reproducible test case, a small fix is applied to our .py script which results in some whitespace/numbering difs across the resources (down the road, we ought to generate them on the fly in an intermediate directory). BUG=454695 R=jun_fang@foxitsoftware.com, thestig@chromium.org Review URL: https://codereview.chromium.org/895933003 --- core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'core') diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp index 16274088c0..4ed4c70e27 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp @@ -3390,7 +3390,12 @@ FX_BOOL CPDF_DataAvail::CheckRoot(IFX_DownloadHints* pHints) } return FALSE; } - CPDF_Reference* pRef = (CPDF_Reference*)m_pRoot->GetDict()->GetElement(FX_BSTRC("Pages")); + CPDF_Dictionary* pDict = m_pRoot->GetDict(); + if (!pDict) { + m_docStatus = PDF_DATAAVAIL_ERROR; + return FALSE; + } + CPDF_Reference* pRef = (CPDF_Reference*)pDict->GetElement(FX_BSTRC("Pages")); if (pRef == NULL || pRef->GetType() != PDFOBJ_REFERENCE) { m_docStatus = PDF_DATAAVAIL_ERROR; return FALSE; -- cgit v1.2.3