From d3ab0f383f6736657480a8bb418c5e715a1aed3b Mon Sep 17 00:00:00 2001
From: Wei Li <weili@chromium.org>
Date: Mon, 11 Jan 2016 14:05:41 -0800
Subject: Fix an infinite loop parsing in CPDF_SyntaxParser::GetObject()

CPDF_SyntaxParser::GetObject() may enter into an infinite loop when a
signature dictionary doesn't have 'Contents' field. Add a check to
avoid that.

BUG=pdfium:344
R=thestig@chromium.org

Review URL: https://codereview.chromium.org/1575833004 .
---
 core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'core')

diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index 3ab4423172..49d6760c65 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -2163,12 +2163,13 @@ CPDF_Object* CPDF_SyntaxParser::GetObject(CPDF_IndirectObjects* pObjList,
       pDict->SetAt(keyNoSlash, pObj);
     }
 
-    if (IsSignatureDict(pDict.get())) {
-      FX_FILESIZE dwSavePos = m_Pos;
+    // Only when this is a signature dictionary and has contents, we reset the
+    // contents to the un-decrypted form.
+    if (IsSignatureDict(pDict.get()) && dwSignValuePos) {
+      CFX_AutoRestorer<FX_FILESIZE> save_pos(&m_Pos);
       m_Pos = dwSignValuePos;
       CPDF_Object* pObj = GetObject(pObjList, objnum, gennum, nullptr, FALSE);
       pDict->SetAt("Contents", pObj);
-      m_Pos = dwSavePos;
     }
     if (pContext) {
       pContext->m_DictEnd = m_Pos;
-- 
cgit v1.2.3