Fix an infinite loop in CPDF_Parser::RebuildCrossRef().

core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

Index: core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index 2a271f11793d869e94e8b21166f71f1070ba7a41..14c7a41ffe82213003141d036c3f48a00a2079e6 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -6,6 +6,7 @@
 
 #include "parser_int.h"
 
+#include <algorithm>
 #include <set>
 #include <utility>
 #include <vector>
@@ -615,21 +616,20 @@ FX_BOOL CPDF_Parser::RebuildCrossRef() {
   }
   int32_t status = 0;
   int32_t inside_index = 0;
-  FX_DWORD objnum = 0, gennum = 0;
+  FX_DWORD objnum = 0;
+  FX_DWORD gennum = 0;
   int32_t depth = 0;
-  uint8_t* buffer = FX_Alloc(uint8_t, 4096);
+  const FX_DWORD kBufferSize = 4096;
+  std::vector<uint8_t> buffer(kBufferSize);
   FX_FILESIZE pos = m_Syntax.m_HeaderOffset;
   FX_FILESIZE start_pos = 0, start_pos1 = 0;
   FX_FILESIZE last_obj = -1, last_xref = -1, last_trailer = -1;
   while (pos < m_Syntax.m_FileLen) {
-    FX_BOOL bOverFlow = FALSE;
-    FX_DWORD size = (FX_DWORD)(m_Syntax.m_FileLen - pos);
-    if (size > 4096) {
-      size = 4096;
-    }
-    if (!m_Syntax.m_pFileAccess->ReadBlock(buffer, pos, size)) {
+    bool bOverFlow = false;
+    FX_DWORD size = std::min((FX_DWORD)(m_Syntax.m_FileLen - pos), kBufferSize);
+    if (!m_Syntax.m_pFileAccess->ReadBlock(buffer.data(), pos, size))
       break;
-    }
+
     for (FX_DWORD i = 0; i < size; i++) {
       uint8_t byte = buffer[i];
       switch (status) {
@@ -803,7 +803,7 @@ FX_BOOL CPDF_Parser::RebuildCrossRef() {
                 FX_FILESIZE nLen = obj_end - obj_pos - offset;
                 if ((FX_DWORD)nLen > size - i) {
                   pos = obj_end + m_Syntax.m_HeaderOffset;
-                  bOverFlow = TRUE;
+                  bOverFlow = true;
                 } else {
                   i += (FX_DWORD)nLen;
                 }
@@ -960,6 +960,9 @@ FX_BOOL CPDF_Parser::RebuildCrossRef() {
         break;
       }
     }
+    if (size == 0)
+      break;

[Wei Li, 2015/12/30 20:32:39]

I think bOverFlow means overflow to the next buffer block. Breaking from here
might break some legit cases.
For example, an object may start from this block and end at the next block.

[Lei Zhang, 2016/01/05 06:08:39]

Right. This patch set causes test failures. See patch set 4 instead.

+
     pos += size;
   }
   if (last_xref != -1 && last_xref > last_obj) {
@@ -974,7 +977,6 @@ FX_BOOL CPDF_Parser::RebuildCrossRef() {
   if (!pResult) {
     m_SortedOffset.Add(offset);
   }
-  FX_Free(buffer);
   return m_pTrailer && !m_ObjectInfo.empty();
 }