Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(73)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: core/fpdfapi/fpdf_parser/cpdf_data_avail.cpp

Issue 1968743002: Fix a potential UAF with FPDFAvail_IsLinearized(). (Closed) Base URL: https://pdfium.googlesource.com/pdfium@master
Patch Set: Created 4 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | core/fpdfapi/fpdf_parser/cpdf_hint_tables.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2016 PDFium Authors. All rights reserved. 1 // Copyright 2016 PDFium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
6 6
7 #include "core/fpdfapi/fpdf_parser/include/ipdf_data_avail.h" 7 #include "core/fpdfapi/fpdf_parser/include/ipdf_data_avail.h"
8 8
9 #include "core/fpdfapi/fpdf_parser/cpdf_data_avail.h" 9 #include "core/fpdfapi/fpdf_parser/cpdf_data_avail.h"
10 #include "core/fpdfapi/fpdf_parser/fpdf_parser_utility.h" 10 #include "core/fpdfapi/fpdf_parser/fpdf_parser_utility.h"
(...skipping 833 matching lines...) Expand 10 before | Expand all | Expand 10 after
844 m_syntaxParser.InitParser(file.get(), offset); 844 m_syntaxParser.InitParser(file.get(), offset);
845 m_syntaxParser.RestorePos(m_syntaxParser.m_HeaderOffset + 9); 845 m_syntaxParser.RestorePos(m_syntaxParser.m_HeaderOffset + 9);
846 846
847 bool bNumber; 847 bool bNumber;
848 CFX_ByteString wordObjNum = m_syntaxParser.GetNextWord(&bNumber); 848 CFX_ByteString wordObjNum = m_syntaxParser.GetNextWord(&bNumber);
849 if (!bNumber) 849 if (!bNumber)
850 return FALSE; 850 return FALSE;
851 851
852 uint32_t objnum = FXSYS_atoui(wordObjNum.c_str()); 852 uint32_t objnum = FXSYS_atoui(wordObjNum.c_str());
853 if (m_pLinearized) { 853 if (m_pLinearized) {
854 m_pHintTables.reset();
Wei Li 2016/05/11 00:26:25 Will we lose hint stream info then? Will we still
Lei Zhang 2016/05/11 01:16:21 Yes, and that's not optimal. See patch set 2 - use
854 m_pLinearized->Release(); 855 m_pLinearized->Release();
855 m_pLinearized = nullptr;
856 } 856 }
857 857
858 m_pLinearized = 858 m_pLinearized =
859 ParseIndirectObjectAt(m_syntaxParser.m_HeaderOffset + 9, objnum); 859 ParseIndirectObjectAt(m_syntaxParser.m_HeaderOffset + 9, objnum);
860 if (!m_pLinearized) 860 if (!m_pLinearized)
861 return FALSE; 861 return FALSE;
862 862
863 CPDF_Dictionary* pDict = m_pLinearized->GetDict(); 863 CPDF_Dictionary* pDict = m_pLinearized->GetDict();
864 if (pDict && pDict->GetObjectBy("Linearized")) { 864 if (!pDict || !pDict->GetObjectBy("Linearized"))
865 CPDF_Object* pLen = pDict->GetObjectBy("L"); 865 return FALSE;
866 if (!pLen)
867 return FALSE;
868 866
869 if ((FX_FILESIZE)pLen->GetInteger() != m_pFileRead->GetSize()) 867 CPDF_Object* pLen = pDict->GetObjectBy("L");
870 return FALSE; 868 if (!pLen)
869 return FALSE;
871 870
872 m_bLinearized = TRUE; 871 if ((FX_FILESIZE)pLen->GetInteger() != m_pFileRead->GetSize())
872 return FALSE;
873 873
874 if (CPDF_Number* pNo = ToNumber(pDict->GetObjectBy("P"))) 874 m_bLinearized = TRUE;
875 m_dwFirstPageNo = pNo->GetInteger();
876 875
877 return TRUE; 876 if (CPDF_Number* pNo = ToNumber(pDict->GetObjectBy("P")))
878 } 877 m_dwFirstPageNo = pNo->GetInteger();
879 return FALSE; 878
879 return TRUE;
880 } 880 }
881 881
882 FX_BOOL CPDF_DataAvail::CheckEnd(IPDF_DataAvail::DownloadHints* pHints) { 882 FX_BOOL CPDF_DataAvail::CheckEnd(IPDF_DataAvail::DownloadHints* pHints) {
883 uint32_t req_pos = (uint32_t)(m_dwFileLen > 1024 ? m_dwFileLen - 1024 : 0); 883 uint32_t req_pos = (uint32_t)(m_dwFileLen > 1024 ? m_dwFileLen - 1024 : 0);
884 uint32_t dwSize = (uint32_t)(m_dwFileLen - req_pos); 884 uint32_t dwSize = (uint32_t)(m_dwFileLen - req_pos);
885 885
886 if (m_pFileAvail->IsDataAvail(req_pos, dwSize)) { 886 if (m_pFileAvail->IsDataAvail(req_pos, dwSize)) {
887 uint8_t buffer[1024]; 887 uint8_t buffer[1024];
888 m_pFileRead->ReadBlock(buffer, req_pos, dwSize); 888 m_pFileRead->ReadBlock(buffer, req_pos, dwSize);
889 889
(...skipping 942 matching lines...) Expand 10 before | Expand all | Expand 10 after
1832 return FormAvailable; 1832 return FormAvailable;
1833 } 1833 }
1834 1834
1835 CPDF_DataAvail::PageNode::PageNode() : m_type(PDF_PAGENODE_UNKNOWN) {} 1835 CPDF_DataAvail::PageNode::PageNode() : m_type(PDF_PAGENODE_UNKNOWN) {}
1836 1836
1837 CPDF_DataAvail::PageNode::~PageNode() { 1837 CPDF_DataAvail::PageNode::~PageNode() {
1838 for (int32_t i = 0; i < m_childNode.GetSize(); ++i) 1838 for (int32_t i = 0; i < m_childNode.GetSize(); ++i)
1839 delete m_childNode[i]; 1839 delete m_childNode[i];
1840 m_childNode.RemoveAll(); 1840 m_childNode.RemoveAll();
1841 } 1841 }
OLDNEW
« no previous file with comments | « no previous file | core/fpdfapi/fpdf_parser/cpdf_hint_tables.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698