Add a fuzzer for CPDF_HintTables.

core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp

 // Copyright 2016 PDFium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
 #include "core/fpdfapi/fpdf_parser/cpdf_hint_tables.h"
 
 #include "core/fpdfapi/fpdf_parser/include/cpdf_array.h"
 #include "core/fpdfapi/fpdf_parser/include/cpdf_data_avail.h"
@@ skipping 42 matching lines @@
   int nStreamLen = ReadPrimaryHintStreamLength();
   if (nStreamOffset < 0 || nStreamLen < 1)
     return false;
 
   const uint32_t kHeaderSize = 288;
   if (hStream->BitsRemaining() < kHeaderSize)
     return false;
 
   // Item 1: The least number of objects in a page.
   uint32_t dwObjLeastNum = hStream->GetBits(32);
+  if (!dwObjLeastNum)
+    return FALSE;
 
   // Item 2: The location of the first page's page object.
   uint32_t dwFirstObjLoc = hStream->GetBits(32);
   if (dwFirstObjLoc > static_cast<uint32_t>(nStreamOffset)) {
     FX_SAFE_UINT32 safeLoc = pdfium::base::checked_cast<uint32_t>(nStreamLen);
     safeLoc += dwFirstObjLoc;
     if (!safeLoc.IsValid())
       return false;
     m_szFirstPageObjOffset =
         pdfium::base::checked_cast<FX_FILESIZE>(safeLoc.ValueOrDie());
   } else {
     m_szFirstPageObjOffset =
         pdfium::base::checked_cast<FX_FILESIZE>(dwFirstObjLoc);
   }
 
   // Item 3: The number of bits needed to represent the difference
   // between the greatest and least number of objects in a page.
   uint32_t dwDeltaObjectsBits = hStream->GetBits(16);
+  if (!dwDeltaObjectsBits)
+    return FALSE;
 
   // Item 4: The least length of a page in bytes.
   uint32_t dwPageLeastLen = hStream->GetBits(32);
+  if (!dwPageLeastLen)
+    return FALSE;
 
   // Item 5: The number of bits needed to represent the difference
   // between the greatest and least length of a page, in bytes.
   uint32_t dwDeltaPageLenBits = hStream->GetBits(16);
+  if (!dwDeltaPageLenBits)
+    return FALSE;
 
   // Skip Item 6, 7, 8, 9 total 96 bits.
   hStream->SkipBits(96);
 
   // Item 10: The number of bits needed to represent the greatest
   // number of shared object references.
   uint32_t dwSharedObjBits = hStream->GetBits(16);
 
   // Item 11: The number of bits needed to represent the numerically
   // greatest shared object identifier used by the pages.
   uint32_t dwSharedIdBits = hStream->GetBits(16);
+  if (!dwSharedObjBits)
+    return FALSE;
 
   // Item 12: The number of bits needed to represent the numerator of
   // the fractional position for each shared object reference. For each
   // shared object referenced from a page, there is an indication of
   // where in the page's content stream the object is first referenced.
   uint32_t dwSharedNumeratorBits = hStream->GetBits(16);
+  if (!dwSharedIdBits)
+    return FALSE;
 
   // Item 13: Skip Item 13 which has 16 bits.
   hStream->SkipBits(16);
 
   // The maximum number of bits allowed to represent the greatest number of
   // shared object references. 2^39 should be more than enough.
   constexpr uint32_t kMaxSharedObjBits = 39;
   if (dwSharedObjBits > kMaxSharedObjBits)
     return false;
 
   const int nPages = GetNumberOfPages();
-  if (nPages < 1)
+  if (nPages < 1 || nPages >= FPDF_PAGE_MAX_NUM)
     return false;
 
   const uint32_t dwPages = pdfium::base::checked_cast<uint32_t>(nPages);
   FX_SAFE_UINT32 required_bits = dwDeltaObjectsBits;
   required_bits *= dwPages;
   if (!CanReadFromBitStream(hStream, required_bits))
     return false;
 
   for (int i = 0; i < nPages; ++i) {
     FX_SAFE_UINT32 safeDeltaObj = hStream->GetBits(dwDeltaObjectsBits);
     safeDeltaObj += dwObjLeastNum;
     if (!safeDeltaObj.IsValid())
       return false;
     m_dwDeltaNObjsArray.push_back(safeDeltaObj.ValueOrDie());
   }
   hStream->ByteAlign();
 
   required_bits = dwDeltaPageLenBits;
   required_bits *= dwPages;
   if (!CanReadFromBitStream(hStream, required_bits))
     return false;
 
-  CFX_ArrayTemplate<uint32_t> dwPageLenArray;
+  std::vector<uint32_t> dwPageLenArray;
   for (int i = 0; i < nPages; ++i) {
     FX_SAFE_UINT32 safePageLen = hStream->GetBits(dwDeltaPageLenBits);
     safePageLen += dwPageLeastLen;
     if (!safePageLen.IsValid())
       return false;
-    dwPageLenArray.Add(safePageLen.ValueOrDie());
+
+    dwPageLenArray.push_back(safePageLen.ValueOrDie());
   }
 
   int nOffsetE = GetEndOfFirstPageOffset();
   if (nOffsetE < 0)
     return false;
 
   int nFirstPageNum = GetFirstPageNumber();
   for (int i = 0; i < nPages; ++i) {
     if (i == nFirstPageNum) {
       m_szPageOffsetArray.push_back(m_szFirstPageObjOffset);
@@ skipping 320 matching lines @@
 }
 
 int CPDF_HintTables::ReadPrimaryHintStream(int index) const {
   CPDF_Array* pRange = m_pLinearizedDict->GetArrayBy("H");
   if (!pRange)
     return -1;
 
   CPDF_Object* pStreamLen = pRange->GetDirectObjectAt(index);
   return pStreamLen ? pStreamLen->GetInteger() : -1;
 }