core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp - Issue 367383002: Fix for UMR in CXML_Parser::GetCharRef.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

Issue 367383002: Fix for UMR in CXML_Parser::GetCharRef. (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master

Patch Set: Rebase origin/master Created 6 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

index 3bfd37fe4a3c289cb802b02dd94c18d55fb18443..926117722f7d93eb63a1cbe33e9c4a13ce6b98f6 100644

--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

@@ -7,6 +7,7 @@

#include "../../../include/fpdfapi/fpdf_parser.h"

#include "../../../include/fpdfapi/fpdf_module.h"

#include "../../../include/fpdfapi/fpdf_page.h"

+#include "../../../../third_party/numerics/safe_math.h"

#include "../fpdf_page/pageint.h"

#include <limits.h>

#define _PARSER_OBJECT_LEVLE_ 64

@@ -2408,25 +2409,27 @@ CPDF_Stream* CPDF_SyntaxParser::ReadStream(CPDF_Dictionary* pDict, PARSE_CONTEXT

FX_DWORD objnum, FX_DWORD gennum)

{

CPDF_Object* pLenObj = pDict->GetElement(FX_BSTRC("Length"));

- FX_DWORD len = 0;

+ FX_FILESIZE len = 0;

if (pLenObj && ((pLenObj->GetType() != PDFOBJ_REFERENCE) ||

((((CPDF_Reference*)pLenObj)->GetObjList() != NULL) &&

((CPDF_Reference*)pLenObj)->GetRefObjNum() != objnum))) {

- FX_FILESIZE pos = m_Pos;

- if (pLenObj) {

- len = pLenObj->GetInteger();

- }

- m_Pos = pos;

- if (len > 0x40000000) {

- return NULL;

- }

+ len = pLenObj->GetInteger();

}

ToNextLine();

FX_FILESIZE StreamStartPos = m_Pos;

if (pContext) {

pContext->m_DataStart = m_Pos;

}

- m_Pos += len;

+ base::CheckedNumeric<FX_FILESIZE> pos = m_Pos;

+ pos += len;

+ if (pos.IsValid() && pos.ValueOrDie() < m_FileLen) {

+ m_Pos = pos.ValueOrDie();

+ } else {

+ return NULL;

+ }

CPDF_CryptoHandler* pCryptoHandler = objnum == (FX_DWORD)m_MetadataObjnum ? NULL : m_pCryptoHandler;

if (pCryptoHandler == NULL) {

FX_FILESIZE SavedPos = m_Pos;

« no previous file with comments | « AUTHORS ('k') | no next file » | no next file with comments »