| OLD | NEW |
|---|
| 1 // Copyright 2016 PDFium Authors. All rights reserved. | 1 // Copyright 2016 PDFium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com | 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com |
| 6 | 6 |
| 7 #include "core/fpdfapi/fpdf_parser/cpdf_hint_tables.h" | 7 #include "core/fpdfapi/fpdf_parser/cpdf_hint_tables.h" |
| 8 | 8 |
| 9 #include <limits> |
| 10 |
| 9 #include "core/fpdfapi/fpdf_parser/include/cpdf_array.h" | 11 #include "core/fpdfapi/fpdf_parser/include/cpdf_array.h" |
| 10 #include "core/fpdfapi/fpdf_parser/include/cpdf_data_avail.h" | 12 #include "core/fpdfapi/fpdf_parser/include/cpdf_data_avail.h" |
| 11 #include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h" | 13 #include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h" |
| 12 #include "core/fpdfapi/fpdf_parser/include/cpdf_document.h" | 14 #include "core/fpdfapi/fpdf_parser/include/cpdf_document.h" |
| 13 #include "core/fpdfapi/fpdf_parser/include/cpdf_stream.h" | 15 #include "core/fpdfapi/fpdf_parser/include/cpdf_stream.h" |
| 14 #include "core/fpdfapi/fpdf_parser/include/cpdf_stream_acc.h" | 16 #include "core/fpdfapi/fpdf_parser/include/cpdf_stream_acc.h" |
| 15 #include "core/fxcrt/include/fx_safe_types.h" | 17 #include "core/fxcrt/include/fx_safe_types.h" |
| 16 | 18 |
| 17 namespace { | 19 namespace { |
| 18 | 20 |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 50 return 0; | 52 return 0; |
| 51 } | 53 } |
| 52 return szArray[index + 1] - szArray[index]; | 54 return szArray[index + 1] - szArray[index]; |
| 53 } | 55 } |
| 54 | 56 |
| 55 bool CPDF_HintTables::ReadPageHintTable(CFX_BitStream* hStream) { | 57 bool CPDF_HintTables::ReadPageHintTable(CFX_BitStream* hStream) { |
| 56 if (!hStream || hStream->IsEOF()) | 58 if (!hStream || hStream->IsEOF()) |
| 57 return false; | 59 return false; |
| 58 | 60 |
| 59 int nStreamOffset = ReadPrimaryHintStreamOffset(); | 61 int nStreamOffset = ReadPrimaryHintStreamOffset(); |
| 62 if (nStreamOffset < 0) |
| 63 return false; |
| 64 |
| 60 int nStreamLen = ReadPrimaryHintStreamLength(); | 65 int nStreamLen = ReadPrimaryHintStreamLength(); |
| 61 if (nStreamOffset < 0 || nStreamLen < 1) | 66 if (nStreamLen < 1 || |
| 67 !pdfium::base::IsValueInRangeForNumericType<FX_FILESIZE>(nStreamLen)) { |
| 62 return false; | 68 return false; |
| 69 } |
| 63 | 70 |
| 64 const uint32_t kHeaderSize = 288; | 71 const uint32_t kHeaderSize = 288; |
| 65 if (hStream->BitsRemaining() < kHeaderSize) | 72 if (hStream->BitsRemaining() < kHeaderSize) |
| 66 return false; | 73 return false; |
| 67 | 74 |
| 68 // Item 1: The least number of objects in a page. | 75 // Item 1: The least number of objects in a page. |
| 69 const uint32_t dwObjLeastNum = hStream->GetBits(32); | 76 const uint32_t dwObjLeastNum = hStream->GetBits(32); |
| 70 if (!dwObjLeastNum) | 77 if (!dwObjLeastNum) |
| 71 return FALSE; | 78 return false; |
| 72 | 79 |
| 73 // Item 2: The location of the first page's page object. | 80 // Item 2: The location of the first page's page object. |
| 74 const uint32_t dwFirstObjLoc = hStream->GetBits(32); | 81 const uint32_t dwFirstObjLoc = hStream->GetBits(32); |
| 75 if (dwFirstObjLoc > static_cast<uint32_t>(nStreamOffset)) { | 82 if (dwFirstObjLoc > static_cast<uint32_t>(nStreamOffset)) { |
| 76 FX_SAFE_UINT32 safeLoc = pdfium::base::checked_cast<uint32_t>(nStreamLen); | 83 FX_SAFE_FILESIZE safeLoc = nStreamLen; |
| 77 safeLoc += dwFirstObjLoc; | 84 safeLoc += dwFirstObjLoc; |
| 78 if (!safeLoc.IsValid()) | 85 if (!safeLoc.IsValid()) |
| 79 return false; | 86 return false; |
| 80 m_szFirstPageObjOffset = | 87 m_szFirstPageObjOffset = safeLoc.ValueOrDie(); |
| 81 pdfium::base::checked_cast<FX_FILESIZE>(safeLoc.ValueOrDie()); | |
| 82 } else { | 88 } else { |
| 83 m_szFirstPageObjOffset = | 89 if (!pdfium::base::IsValueInRangeForNumericType<FX_FILESIZE>(dwFirstObjLoc)) |
| 84 pdfium::base::checked_cast<FX_FILESIZE>(dwFirstObjLoc); | 90 return false; |
| 91 m_szFirstPageObjOffset = dwFirstObjLoc; |
| 85 } | 92 } |
| 86 | 93 |
| 87 // Item 3: The number of bits needed to represent the difference | 94 // Item 3: The number of bits needed to represent the difference |
| 88 // between the greatest and least number of objects in a page. | 95 // between the greatest and least number of objects in a page. |
| 89 const uint32_t dwDeltaObjectsBits = hStream->GetBits(16); | 96 const uint32_t dwDeltaObjectsBits = hStream->GetBits(16); |
| 90 if (!IsValidPageOffsetHintTableBitCount(dwDeltaObjectsBits)) | 97 if (!IsValidPageOffsetHintTableBitCount(dwDeltaObjectsBits)) |
| 91 return false; | 98 return false; |
| 92 | 99 |
| 93 // Item 4: The least length of a page in bytes. | 100 // Item 4: The least length of a page in bytes. |
| 94 const uint32_t dwPageLeastLen = hStream->GetBits(32); | 101 const uint32_t dwPageLeastLen = hStream->GetBits(32); |
| (...skipping 411 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 506 } | 513 } |
| 507 | 514 |
| 508 int CPDF_HintTables::ReadPrimaryHintStream(int index) const { | 515 int CPDF_HintTables::ReadPrimaryHintStream(int index) const { |
| 509 CPDF_Array* pRange = m_pLinearizedDict->GetArrayBy("H"); | 516 CPDF_Array* pRange = m_pLinearizedDict->GetArrayBy("H"); |
| 510 if (!pRange) | 517 if (!pRange) |
| 511 return -1; | 518 return -1; |
| 512 | 519 |
| 513 CPDF_Object* pStreamLen = pRange->GetDirectObjectAt(index); | 520 CPDF_Object* pStreamLen = pRange->GetDirectObjectAt(index); |
| 514 return pStreamLen ? pStreamLen->GetInteger() : -1; | 521 return pStreamLen ? pStreamLen->GetInteger() : -1; |
| 515 } | 522 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2300903002:
Handle another integer overflow in ReadPageHintTable(). (Closed)
