From cee39e6e90c219cc91f2c94a912a06977f4461a0 Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Mon, 13 Nov 2017 18:35:23 +0000 Subject: Check first page number in IsLinearizedHeaderValid(). This should allow https://pdfium-review.googlesource.com/15770 to safely reland. BUG=chromium:781529 Change-Id: Id0c1bde3280fb72125d8e74751b9a1cb35302b6f Reviewed-on: https://pdfium-review.googlesource.com/18170 Reviewed-by: dsinclair Commit-Queue: Lei Zhang --- core/fpdfapi/parser/cpdf_linearized_header.cpp | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'core') diff --git a/core/fpdfapi/parser/cpdf_linearized_header.cpp b/core/fpdfapi/parser/cpdf_linearized_header.cpp index 3251a5eb9f..994d69f9b6 100644 --- a/core/fpdfapi/parser/cpdf_linearized_header.cpp +++ b/core/fpdfapi/parser/cpdf_linearized_header.cpp @@ -7,6 +7,7 @@ #include "core/fpdfapi/parser/cpdf_linearized_header.h" #include +#include #include #include "core/fpdfapi/parser/cpdf_array.h" @@ -18,6 +19,7 @@ namespace { constexpr FX_FILESIZE kLinearizedHeaderOffset = 9; +constexpr size_t kMaxInt = static_cast(std::numeric_limits::max()); template bool IsValidNumericDictionaryValue(const CPDF_Dictionary* pDict, @@ -39,6 +41,8 @@ bool IsLinearizedHeaderValid(const CPDF_LinearizedHeader* header, FX_FILESIZE file_size) { ASSERT(header); return header->GetFileSize() == file_size && + static_cast(header->GetFirstPageNo()) >= 0 && + header->GetFirstPageNo() < kMaxInt && header->GetMainXRefTableFirstEntryOffset() < file_size && header->GetPageCount() > 0 && header->GetFirstPageEndOffset() < file_size && -- cgit v1.2.3