Fix an infinite loop in CPDF_Parser::RebuildCrossRef().

core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

 // Copyright 2014 PDFium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
 #include "parser_int.h"
 
+#include <algorithm>
 #include <set>
 #include <utility>
 #include <vector>
 
 #include "core/include/fpdfapi/fpdf_module.h"
 #include "core/include/fpdfapi/fpdf_page.h"
 #include "core/include/fpdfapi/fpdf_parser.h"
 #include "core/include/fxcrt/fx_ext.h"
 #include "core/include/fxcrt/fx_safe_types.h"
 #include "core/src/fpdfapi/fpdf_page/pageint.h"
@@ skipping 589 matching lines @@
   m_ObjectInfo.clear();
   m_V5Type.RemoveAll();
   m_SortedOffset.RemoveAll();
   m_ObjVersion.RemoveAll();
   if (m_pTrailer) {
     m_pTrailer->Release();
     m_pTrailer = NULL;
   }
   int32_t status = 0;
   int32_t inside_index = 0;
-  FX_DWORD objnum = 0, gennum = 0;
+  FX_DWORD objnum = 0;
+  FX_DWORD gennum = 0;
   int32_t depth = 0;
-  uint8_t* buffer = FX_Alloc(uint8_t, 4096);
+  const FX_DWORD kBufferSize = 4096;
+  std::vector<uint8_t> buffer(kBufferSize);
   FX_FILESIZE pos = m_Syntax.m_HeaderOffset;
   FX_FILESIZE start_pos = 0, start_pos1 = 0;
   FX_FILESIZE last_obj = -1, last_xref = -1, last_trailer = -1;
   while (pos < m_Syntax.m_FileLen) {
-    FX_BOOL bOverFlow = FALSE;
-    FX_DWORD size = (FX_DWORD)(m_Syntax.m_FileLen - pos);
-    if (size > 4096) {
-      size = 4096;
-    }
-    if (!m_Syntax.m_pFileAccess->ReadBlock(buffer, pos, size)) {
+    bool bOverFlow = false;
+    FX_DWORD size = std::min((FX_DWORD)(m_Syntax.m_FileLen - pos), kBufferSize);
+    if (!m_Syntax.m_pFileAccess->ReadBlock(buffer.data(), pos, size))
       break;
-    }
+
     for (FX_DWORD i = 0; i < size; i++) {
       uint8_t byte = buffer[i];
       switch (status) {
         case 0:
           if (PDFCharIsWhitespace(byte))
             status = 1;
 
           if (std::isdigit(byte)) {
             --i;
             status = 1;
@@ skipping 153 matching lines @@
                 m_Syntax.RestorePos(obj_pos);
                 offset = m_Syntax.FindTag("obj", 0);
                 if (offset == -1) {
                   offset = 0;
                 } else {
                   offset += 3;
                 }
                 FX_FILESIZE nLen = obj_end - obj_pos - offset;
                 if ((FX_DWORD)nLen > size - i) {
                   pos = obj_end + m_Syntax.m_HeaderOffset;
-                  bOverFlow = TRUE;
+                  bOverFlow = true;
                 } else {
                   i += (FX_DWORD)nLen;
                 }
                 if (!m_ObjectInfo.empty() && IsValidObjectNumber(objnum) &&
                     m_ObjectInfo[objnum].pos) {
                   if (pObject) {
                     FX_DWORD oldgen = m_ObjVersion.GetAt(objnum);
                     m_ObjectInfo[objnum].pos = obj_pos;
                     m_ObjVersion.SetAt(objnum, (int16_t)gennum);
                     if (oldgen != gennum) {
@@ skipping 136 matching lines @@
           } else if (byte == "endobj"[inside_index]) {
             inside_index++;
           }
           break;
       }
       if (bOverFlow) {
         size = 0;
         break;
       }
     }
+    if (size == 0)
+      break;

[Wei Li, 2015/12/30 20:32:39]

I think bOverFlow means overflow to the next buffer block. Breaking from here
might break some legit cases.
For example, an object may start from this block and end at the next block.

[Lei Zhang, 2016/01/05 06:08:39]

Right. This patch set causes test failures. See patch set 4 instead.

+
     pos += size;
   }
   if (last_xref != -1 && last_xref > last_obj) {
     last_trailer = last_xref;
   } else if (last_trailer == -1 || last_xref < last_obj) {
     last_trailer = m_Syntax.m_FileLen;
   }
   FX_FILESIZE offset = last_trailer - m_Syntax.m_HeaderOffset;
   void* pResult =
       FXSYS_bsearch(&offset, m_SortedOffset.GetData(), m_SortedOffset.GetSize(),
                     sizeof(FX_FILESIZE), CompareFileSize);
   if (!pResult) {
     m_SortedOffset.Add(offset);
   }
-  FX_Free(buffer);
   return m_pTrailer && !m_ObjectInfo.empty();
 }
 
 FX_BOOL CPDF_Parser::LoadCrossRefV5(FX_FILESIZE* pos, FX_BOOL bMainXRef) {
   CPDF_Object* pObject = ParseIndirectObjectAt(m_pDocument, *pos, 0, nullptr);
   if (!pObject)
     return FALSE;
   if (m_pDocument) {
     FX_BOOL bInserted = FALSE;
     CPDF_Dictionary* pDict = m_pDocument->GetRoot();
@@ skipping 3997 matching lines @@
   if (!m_pLinearizedDict)
     return -1;
   CPDF_Array* pRange = m_pLinearizedDict->GetArray("H");
   if (!pRange)
     return -1;
   CPDF_Object* pStreamLen = pRange->GetElementValue(1);
   if (!pStreamLen)
     return -1;
   return pStreamLen->GetInteger();
 }