Chromium Code Reviews Chromium Code Reviews
Issue 2095763003:
Improve hint table validation checks. (Closed)
Base URL: https://pdfium.googlesource.com/pdfium@master| OLD | NEW |
|---|---|
| 1 // Copyright 2016 PDFium Authors. All rights reserved. | 1 // Copyright 2016 PDFium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com | 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com |
| 6 | 6 |
| 7 #include "core/fpdfapi/fpdf_parser/include/cpdf_data_avail.h" | 7 #include "core/fpdfapi/fpdf_parser/include/cpdf_data_avail.h" |
| 8 | 8 |
| 9 #include <algorithm> | |
| 10 | |
| 9 #include "core/fpdfapi/fpdf_parser/cpdf_hint_tables.h" | 11 #include "core/fpdfapi/fpdf_parser/cpdf_hint_tables.h" |
| 10 #include "core/fpdfapi/fpdf_parser/fpdf_parser_utility.h" | 12 #include "core/fpdfapi/fpdf_parser/fpdf_parser_utility.h" |
| 11 #include "core/fpdfapi/fpdf_parser/include/cpdf_array.h" | 13 #include "core/fpdfapi/fpdf_parser/include/cpdf_array.h" |
| 12 #include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h" | 14 #include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h" |
| 13 #include "core/fpdfapi/fpdf_parser/include/cpdf_document.h" | 15 #include "core/fpdfapi/fpdf_parser/include/cpdf_document.h" |
| 14 #include "core/fpdfapi/fpdf_parser/include/cpdf_name.h" | 16 #include "core/fpdfapi/fpdf_parser/include/cpdf_name.h" |
| 15 #include "core/fpdfapi/fpdf_parser/include/cpdf_number.h" | 17 #include "core/fpdfapi/fpdf_parser/include/cpdf_number.h" |
| 16 #include "core/fpdfapi/fpdf_parser/include/cpdf_reference.h" | 18 #include "core/fpdfapi/fpdf_parser/include/cpdf_reference.h" |
| 17 #include "core/fpdfapi/fpdf_parser/include/cpdf_stream.h" | 19 #include "core/fpdfapi/fpdf_parser/include/cpdf_stream.h" |
| 18 #include "core/fpdfapi/include/cpdf_modulemgr.h" | 20 #include "core/fpdfapi/include/cpdf_modulemgr.h" |
| (...skipping 697 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 716 return TRUE; | 718 return TRUE; |
| 717 } | 719 } |
| 718 | 720 |
| 719 FX_BOOL CPDF_DataAvail::CheckHintTables(DownloadHints* pHints) { | 721 FX_BOOL CPDF_DataAvail::CheckHintTables(DownloadHints* pHints) { |
| 720 CPDF_Dictionary* pDict = m_pLinearized->GetDict(); | 722 CPDF_Dictionary* pDict = m_pLinearized->GetDict(); |
| 721 if (!pDict) { | 723 if (!pDict) { |
| 722 m_docStatus = PDF_DATAAVAIL_ERROR; | 724 m_docStatus = PDF_DATAAVAIL_ERROR; |
| 723 return FALSE; | 725 return FALSE; |
| 724 } | 726 } |
| 725 | 727 |
| 726 if (!pDict->KeyExist("H") || !pDict->KeyExist("O") || !pDict->KeyExist("N")) { | 728 // The actual value is not required here, but validate its existence and type. |
| 729 CPDF_Number* pFirstPage = ToNumber(pDict->GetDirectObjectBy("O")); | |
| 730 if (!pFirstPage || !pFirstPage->IsInteger()) { | |
| 727 m_docStatus = PDF_DATAAVAIL_ERROR; | 731 m_docStatus = PDF_DATAAVAIL_ERROR; |
| 728 return FALSE; | 732 return FALSE; |
| 729 } | 733 } |
| 730 | 734 |
| 731 int nPageCount = pDict->GetDirectObjectBy("N")->GetInteger(); | 735 CPDF_Number* pPageCount = ToNumber(pDict->GetDirectObjectBy("N")); |
| 736 if (!pPageCount || !pPageCount->IsInteger()) { | |
| 737 m_docStatus = PDF_DATAAVAIL_ERROR; | |
| 738 return FALSE; | |
| 739 } | |
| 740 | |
| 741 int nPageCount = pPageCount->GetInteger(); | |
| 732 if (nPageCount <= 1) { | 742 if (nPageCount <= 1) { |
| 733 m_docStatus = PDF_DATAAVAIL_DONE; | 743 m_docStatus = PDF_DATAAVAIL_DONE; |
| 734 return TRUE; | 744 return TRUE; |
| 735 } | 745 } |
| 736 | 746 |
| 737 CPDF_Array* pHintStreamRange = pDict->GetArrayBy("H"); | 747 CPDF_Array* pHintStreamRange = pDict->GetArrayBy("H"); |
| 738 if (!pHintStreamRange) { | 748 size_t nHintStreamSize = pHintStreamRange ? pHintStreamRange->GetCount() : 0; |
| 749 if (nHintStreamSize != 2 && nHintStreamSize != 4) { | |
|
dsinclair
2016/06/23 23:35:25
Where does the 4 come from?
Lei Zhang
2016/06/24 00:37:43
PDF 1.7 spec, page 1029, Table F.1.
| |
| 739 m_docStatus = PDF_DATAAVAIL_ERROR; | 750 m_docStatus = PDF_DATAAVAIL_ERROR; |
| 740 return FALSE; | 751 return FALSE; |
| 741 } | 752 } |
| 742 | 753 |
| 743 FX_FILESIZE szHSStart = | 754 for (const CPDF_Object* pArrayObject : *pHintStreamRange) { |
| 744 pHintStreamRange->GetDirectObjectAt(0) | 755 const CPDF_Number* pNumber = ToNumber(pArrayObject->GetDirect()); |
| 745 ? pHintStreamRange->GetDirectObjectAt(0)->GetInteger() | 756 if (!pNumber || !pNumber->IsInteger()) { |
| 746 : 0; | 757 m_docStatus = PDF_DATAAVAIL_ERROR; |
| 747 FX_FILESIZE szHSLength = | 758 return FALSE; |
| 748 pHintStreamRange->GetDirectObjectAt(1) | 759 } |
| 749 ? pHintStreamRange->GetDirectObjectAt(1)->GetInteger() | 760 } |
| 750 : 0; | 761 |
| 751 if (szHSStart < 0 || szHSLength <= 0) { | 762 FX_FILESIZE szHintStart = pHintStreamRange->GetIntegerAt(0); |
| 763 FX_FILESIZE szHintLength = pHintStreamRange->GetIntegerAt(1); | |
| 764 if (szHintStart < 0 || szHintLength <= 0) { | |
| 752 m_docStatus = PDF_DATAAVAIL_ERROR; | 765 m_docStatus = PDF_DATAAVAIL_ERROR; |
| 753 return FALSE; | 766 return FALSE; |
| 754 } | 767 } |
| 755 | 768 |
| 756 if (!IsDataAvail(szHSStart, szHSLength, pHints)) | 769 if (!IsDataAvail(szHintStart, szHintLength, pHints)) |
| 757 return FALSE; | 770 return FALSE; |
| 758 | 771 |
| 759 m_syntaxParser.InitParser(m_pFileRead, m_dwHeaderOffset); | 772 m_syntaxParser.InitParser(m_pFileRead, m_dwHeaderOffset); |
| 760 | 773 |
| 761 std::unique_ptr<CPDF_HintTables> pHintTables( | 774 std::unique_ptr<CPDF_HintTables> pHintTables( |
| 762 new CPDF_HintTables(this, pDict)); | 775 new CPDF_HintTables(this, pDict)); |
| 763 std::unique_ptr<CPDF_Object, ReleaseDeleter<CPDF_Object>> pHintStream( | 776 std::unique_ptr<CPDF_Object, ReleaseDeleter<CPDF_Object>> pHintStream( |
| 764 ParseIndirectObjectAt(szHSStart, 0)); | 777 ParseIndirectObjectAt(szHintStart, 0)); |
| 765 CPDF_Stream* pStream = ToStream(pHintStream.get()); | 778 CPDF_Stream* pStream = ToStream(pHintStream.get()); |
| 766 if (pStream && pHintTables->LoadHintStream(pStream)) | 779 if (pStream && pHintTables->LoadHintStream(pStream)) |
| 767 m_pHintTables = std::move(pHintTables); | 780 m_pHintTables = std::move(pHintTables); |
| 768 | 781 |
| 769 m_docStatus = PDF_DATAAVAIL_DONE; | 782 m_docStatus = PDF_DATAAVAIL_DONE; |
| 770 return TRUE; | 783 return TRUE; |
| 771 } | 784 } |
| 772 | 785 |
| 773 CPDF_Object* CPDF_DataAvail::ParseIndirectObjectAt( | 786 CPDF_Object* CPDF_DataAvail::ParseIndirectObjectAt( |
| 774 FX_FILESIZE pos, | 787 FX_FILESIZE pos, |
| (...skipping 1041 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1816 return FormAvailable; | 1829 return FormAvailable; |
| 1817 } | 1830 } |
| 1818 | 1831 |
| 1819 CPDF_DataAvail::PageNode::PageNode() : m_type(PDF_PAGENODE_UNKNOWN) {} | 1832 CPDF_DataAvail::PageNode::PageNode() : m_type(PDF_PAGENODE_UNKNOWN) {} |
| 1820 | 1833 |
| 1821 CPDF_DataAvail::PageNode::~PageNode() { | 1834 CPDF_DataAvail::PageNode::~PageNode() { |
| 1822 for (int32_t i = 0; i < m_childNode.GetSize(); ++i) | 1835 for (int32_t i = 0; i < m_childNode.GetSize(); ++i) |
| 1823 delete m_childNode[i]; | 1836 delete m_childNode[i]; |
| 1824 m_childNode.RemoveAll(); | 1837 m_childNode.RemoveAll(); |
| 1825 } | 1838 } |
| OLD | NEW |
