core/fpdfapi/fpdf_parser/cpdf_data_avail.cpp - Issue 1968743002: Fix a potential UAF with FPDFAvail_IsLinearized().

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: core/fpdfapi/fpdf_parser/cpdf_data_avail.cpp

Issue 1968743002: Fix a potential UAF with FPDFAvail_IsLinearized(). (Closed) Base URL: https://pdfium.googlesource.com/pdfium@master

Patch Set: Created 4 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: core/fpdfapi/fpdf_parser/cpdf_data_avail.cpp

diff --git a/core/fpdfapi/fpdf_parser/cpdf_data_avail.cpp b/core/fpdfapi/fpdf_parser/cpdf_data_avail.cpp

index f210c49c71b9ac947cf9f668bd6c958075b4c979..5bf7d631d4a7f4bbc68fd13437d446b5d07f78ff 100644

--- a/core/fpdfapi/fpdf_parser/cpdf_data_avail.cpp

+++ b/core/fpdfapi/fpdf_parser/cpdf_data_avail.cpp

@@ -851,8 +851,8 @@ FX_BOOL CPDF_DataAvail::IsLinearizedFile(uint8_t* pData, uint32_t dwLen) {

uint32_t objnum = FXSYS_atoui(wordObjNum.c_str());

if (m_pLinearized) {

+ m_pHintTables.reset();

Wei Li 2016/05/11 00:26:25 Will we lose hint stream info then? Will we still

Lei Zhang 2016/05/11 01:16:21 Yes, and that's not optimal. See patch set 2 - use

m_pLinearized->Release();

- m_pLinearized = nullptr;

}

m_pLinearized =

@@ -861,22 +861,22 @@ FX_BOOL CPDF_DataAvail::IsLinearizedFile(uint8_t* pData, uint32_t dwLen) {

return FALSE;

CPDF_Dictionary* pDict = m_pLinearized->GetDict();

- if (pDict && pDict->GetObjectBy("Linearized")) {

- CPDF_Object* pLen = pDict->GetObjectBy("L");

- if (!pLen)

- return FALSE;

+ if (!pDict || !pDict->GetObjectBy("Linearized"))

+ return FALSE;

- if ((FX_FILESIZE)pLen->GetInteger() != m_pFileRead->GetSize())

- return FALSE;

+ CPDF_Object* pLen = pDict->GetObjectBy("L");

+ if (!pLen)

+ return FALSE;

+ if ((FX_FILESIZE)pLen->GetInteger() != m_pFileRead->GetSize())

+ return FALSE;

- m_bLinearized = TRUE;

+ m_bLinearized = TRUE;

- if (CPDF_Number* pNo = ToNumber(pDict->GetObjectBy("P")))

- m_dwFirstPageNo = pNo->GetInteger();

+ if (CPDF_Number* pNo = ToNumber(pDict->GetObjectBy("P")))

+ m_dwFirstPageNo = pNo->GetInteger();

- return TRUE;

- }

- return FALSE;

+ return TRUE;

}

FX_BOOL CPDF_DataAvail::CheckEnd(IPDF_DataAvail::DownloadHints* pHints) {

« no previous file with comments | « no previous file | core/fpdfapi/fpdf_parser/cpdf_hint_tables.h » ('j') | no next file with comments »