Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(24)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp

Issue 2300903002: Handle another integer overflow in ReadPageHintTable(). (Closed)
Patch Set: rebase Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
diff --git a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
index 3b0d2afbe0fee24ba29cb0e902ae3cd9c192b859..445f3bf433374062bdd5d50374dbeb6bad6907b4 100644
--- a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
+++ b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.cpp
@@ -6,6 +6,8 @@
#include "core/fpdfapi/fpdf_parser/cpdf_hint_tables.h"
+#include <limits>
+
#include "core/fpdfapi/fpdf_parser/include/cpdf_array.h"
#include "core/fpdfapi/fpdf_parser/include/cpdf_data_avail.h"
#include "core/fpdfapi/fpdf_parser/include/cpdf_dictionary.h"
@@ -57,9 +59,14 @@ bool CPDF_HintTables::ReadPageHintTable(CFX_BitStream* hStream) {
return false;
int nStreamOffset = ReadPrimaryHintStreamOffset();
+ if (nStreamOffset < 0)
+ return false;
+
int nStreamLen = ReadPrimaryHintStreamLength();
- if (nStreamOffset < 0 || nStreamLen < 1)
+ if (nStreamLen < 1 ||
+ !pdfium::base::IsValueInRangeForNumericType<FX_FILESIZE>(nStreamLen)) {
return false;
+ }
const uint32_t kHeaderSize = 288;
if (hStream->BitsRemaining() < kHeaderSize)
@@ -68,20 +75,20 @@ bool CPDF_HintTables::ReadPageHintTable(CFX_BitStream* hStream) {
// Item 1: The least number of objects in a page.
const uint32_t dwObjLeastNum = hStream->GetBits(32);
if (!dwObjLeastNum)
- return FALSE;
+ return false;
// Item 2: The location of the first page's page object.
const uint32_t dwFirstObjLoc = hStream->GetBits(32);
if (dwFirstObjLoc > static_cast<uint32_t>(nStreamOffset)) {
- FX_SAFE_UINT32 safeLoc = pdfium::base::checked_cast<uint32_t>(nStreamLen);
+ FX_SAFE_FILESIZE safeLoc = nStreamLen;
safeLoc += dwFirstObjLoc;
if (!safeLoc.IsValid())
return false;
- m_szFirstPageObjOffset =
- pdfium::base::checked_cast<FX_FILESIZE>(safeLoc.ValueOrDie());
+ m_szFirstPageObjOffset = safeLoc.ValueOrDie();
} else {
- m_szFirstPageObjOffset =
- pdfium::base::checked_cast<FX_FILESIZE>(dwFirstObjLoc);
+ if (!pdfium::base::IsValueInRangeForNumericType<FX_FILESIZE>(dwFirstObjLoc))
+ return false;
+ m_szFirstPageObjOffset = dwFirstObjLoc;
}
// Item 3: The number of bits needed to represent the difference
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698