| OLD | NEW |
|---|
| 1 // Copyright 2016 PDFium Authors. All rights reserved. | 1 // Copyright 2016 PDFium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com | 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com |
| 6 | 6 |
| 7 #include "core/fpdfapi/fpdf_parser/cpdf_hint_tables.h" | 7 #include "core/fpdfapi/fpdf_parser/cpdf_hint_tables.h" |
| 8 | 8 |
| 9 #include "core/fpdfapi/fpdf_parser/include/cpdf_array.h" | 9 #include "core/fpdfapi/fpdf_parser/include/cpdf_array.h" |
| 10 #include "core/fpdfapi/fpdf_parser/include/cpdf_data_avail.h" | 10 #include "core/fpdfapi/fpdf_parser/include/cpdf_data_avail.h" |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 52 int nStreamOffset = ReadPrimaryHintStreamOffset(); | 52 int nStreamOffset = ReadPrimaryHintStreamOffset(); |
| 53 int nStreamLen = ReadPrimaryHintStreamLength(); | 53 int nStreamLen = ReadPrimaryHintStreamLength(); |
| 54 if (nStreamOffset < 0 || nStreamLen < 1) | 54 if (nStreamOffset < 0 || nStreamLen < 1) |
| 55 return false; | 55 return false; |
| 56 | 56 |
| 57 const uint32_t kHeaderSize = 288; | 57 const uint32_t kHeaderSize = 288; |
| 58 if (hStream->BitsRemaining() < kHeaderSize) | 58 if (hStream->BitsRemaining() < kHeaderSize) |
| 59 return false; | 59 return false; |
| 60 | 60 |
| 61 // Item 1: The least number of objects in a page. | 61 // Item 1: The least number of objects in a page. |
| 62 uint32_t dwObjLeastNum = hStream->GetBits(32); | 62 const uint32_t dwObjLeastNum = hStream->GetBits(32); |
| 63 if (!dwObjLeastNum) | 63 if (!dwObjLeastNum) |
| 64 return FALSE; | 64 return FALSE; |
| 65 | 65 |
| 66 // Item 2: The location of the first page's page object. | 66 // Item 2: The location of the first page's page object. |
| 67 uint32_t dwFirstObjLoc = hStream->GetBits(32); | 67 const uint32_t dwFirstObjLoc = hStream->GetBits(32); |
| 68 if (dwFirstObjLoc > static_cast<uint32_t>(nStreamOffset)) { | 68 if (dwFirstObjLoc > static_cast<uint32_t>(nStreamOffset)) { |
| 69 FX_SAFE_UINT32 safeLoc = pdfium::base::checked_cast<uint32_t>(nStreamLen); | 69 FX_SAFE_UINT32 safeLoc = pdfium::base::checked_cast<uint32_t>(nStreamLen); |
| 70 safeLoc += dwFirstObjLoc; | 70 safeLoc += dwFirstObjLoc; |
| 71 if (!safeLoc.IsValid()) | 71 if (!safeLoc.IsValid()) |
| 72 return false; | 72 return false; |
| 73 m_szFirstPageObjOffset = | 73 m_szFirstPageObjOffset = |
| 74 pdfium::base::checked_cast<FX_FILESIZE>(safeLoc.ValueOrDie()); | 74 pdfium::base::checked_cast<FX_FILESIZE>(safeLoc.ValueOrDie()); |
| 75 } else { | 75 } else { |
| 76 m_szFirstPageObjOffset = | 76 m_szFirstPageObjOffset = |
| 77 pdfium::base::checked_cast<FX_FILESIZE>(dwFirstObjLoc); | 77 pdfium::base::checked_cast<FX_FILESIZE>(dwFirstObjLoc); |
| 78 } | 78 } |
| 79 | 79 |
| 80 // Item 3: The number of bits needed to represent the difference | 80 // Item 3: The number of bits needed to represent the difference |
| 81 // between the greatest and least number of objects in a page. | 81 // between the greatest and least number of objects in a page. |
| 82 uint32_t dwDeltaObjectsBits = hStream->GetBits(16); | 82 const uint32_t dwDeltaObjectsBits = hStream->GetBits(16); |
| 83 if (!dwDeltaObjectsBits) | 83 if (!dwDeltaObjectsBits) |
| 84 return FALSE; | 84 return FALSE; |
| 85 | 85 |
| 86 // Item 4: The least length of a page in bytes. | 86 // Item 4: The least length of a page in bytes. |
| 87 uint32_t dwPageLeastLen = hStream->GetBits(32); | 87 const uint32_t dwPageLeastLen = hStream->GetBits(32); |
| 88 if (!dwPageLeastLen) | 88 if (!dwPageLeastLen) |
| 89 return FALSE; | 89 return FALSE; |
| 90 | 90 |
| 91 // Item 5: The number of bits needed to represent the difference | 91 // Item 5: The number of bits needed to represent the difference |
| 92 // between the greatest and least length of a page, in bytes. | 92 // between the greatest and least length of a page, in bytes. |
| 93 uint32_t dwDeltaPageLenBits = hStream->GetBits(16); | 93 const uint32_t dwDeltaPageLenBits = hStream->GetBits(16); |
| 94 if (!dwDeltaPageLenBits) | 94 if (!dwDeltaPageLenBits) |
| 95 return FALSE; | 95 return FALSE; |
| 96 | 96 |
| 97 // Skip Item 6, 7, 8, 9 total 96 bits. | 97 // Skip Item 6, 7, 8, 9 total 96 bits. |
| 98 hStream->SkipBits(96); | 98 hStream->SkipBits(96); |
| 99 | 99 |
| 100 // Item 10: The number of bits needed to represent the greatest | 100 // Item 10: The number of bits needed to represent the greatest |
| 101 // number of shared object references. | 101 // number of shared object references. |
| 102 uint32_t dwSharedObjBits = hStream->GetBits(16); | 102 const uint32_t dwSharedObjBits = hStream->GetBits(16); |
| 103 | 103 |
| 104 // Item 11: The number of bits needed to represent the numerically | 104 // Item 11: The number of bits needed to represent the numerically |
| 105 // greatest shared object identifier used by the pages. | 105 // greatest shared object identifier used by the pages. |
| 106 uint32_t dwSharedIdBits = hStream->GetBits(16); | 106 const uint32_t dwSharedIdBits = hStream->GetBits(16); |
| 107 if (!dwSharedObjBits) | 107 if (!dwSharedObjBits) |
| 108 return FALSE; | 108 return FALSE; |
| 109 | 109 |
| 110 // Item 12: The number of bits needed to represent the numerator of | 110 // Item 12: The number of bits needed to represent the numerator of |
| 111 // the fractional position for each shared object reference. For each | 111 // the fractional position for each shared object reference. For each |
| 112 // shared object referenced from a page, there is an indication of | 112 // shared object referenced from a page, there is an indication of |
| 113 // where in the page's content stream the object is first referenced. | 113 // where in the page's content stream the object is first referenced. |
| 114 uint32_t dwSharedNumeratorBits = hStream->GetBits(16); | 114 const uint32_t dwSharedNumeratorBits = hStream->GetBits(16); |
| 115 if (!dwSharedIdBits) | 115 if (!dwSharedIdBits) |
| 116 return FALSE; | 116 return FALSE; |
| 117 | 117 |
| 118 // Item 13: Skip Item 13 which has 16 bits. | 118 // Item 13: Skip Item 13 which has 16 bits. |
| 119 hStream->SkipBits(16); | 119 hStream->SkipBits(16); |
| 120 | 120 |
| 121 // The maximum number of bits allowed to represent the greatest number of | 121 // Sanity check values from the page table header. 2^|kMaxBits| should be more |
| 122 // shared object references. 2^39 should be more than enough. | 122 // than enough to represent most of the values here. |
| 123 constexpr uint32_t kMaxSharedObjBits = 39; | 123 constexpr uint32_t kMaxBits = 34; |
| 124 if (dwSharedObjBits > kMaxSharedObjBits) | 124 if (dwSharedObjBits > kMaxBits || dwDeltaObjectsBits > kMaxBits || |
| 125 dwSharedIdBits > kMaxBits) { |
| 125 return false; | 126 return false; |
| 127 } |
| 126 | 128 |
| 127 const int nPages = GetNumberOfPages(); | 129 const int nPages = GetNumberOfPages(); |
| 128 if (nPages < 1 || nPages >= FPDF_PAGE_MAX_NUM) | 130 if (nPages < 1 || nPages >= FPDF_PAGE_MAX_NUM) |
| 129 return false; | 131 return false; |
| 130 | 132 |
| 131 const uint32_t dwPages = pdfium::base::checked_cast<uint32_t>(nPages); | 133 const uint32_t dwPages = pdfium::base::checked_cast<uint32_t>(nPages); |
| 132 FX_SAFE_UINT32 required_bits = dwDeltaObjectsBits; | 134 FX_SAFE_UINT32 required_bits = dwDeltaObjectsBits; |
| 133 required_bits *= dwPages; | 135 required_bits *= dwPages; |
| 134 if (!CanReadFromBitStream(hStream, required_bits)) | 136 if (!CanReadFromBitStream(hStream, required_bits)) |
| 135 return false; | 137 return false; |
| (...skipping 353 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 489 } | 491 } |
| 490 | 492 |
| 491 int CPDF_HintTables::ReadPrimaryHintStream(int index) const { | 493 int CPDF_HintTables::ReadPrimaryHintStream(int index) const { |
| 492 CPDF_Array* pRange = m_pLinearizedDict->GetArrayBy("H"); | 494 CPDF_Array* pRange = m_pLinearizedDict->GetArrayBy("H"); |
| 493 if (!pRange) | 495 if (!pRange) |
| 494 return -1; | 496 return -1; |
| 495 | 497 |
| 496 CPDF_Object* pStreamLen = pRange->GetDirectObjectAt(index); | 498 CPDF_Object* pStreamLen = pRange->GetDirectObjectAt(index); |
| 497 return pStreamLen ? pStreamLen->GetInteger() : -1; | 499 return pStreamLen ? pStreamLen->GetInteger() : -1; |
| 498 } | 500 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2268693003:
Fix more integer overflows inside ReadPageHintTable(). (Closed)
Base URL: https://pdfium.googlesource.com/pdfium@master