Fix for UMR in CXML_Parser::GetCharRef.

core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

Index: core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index 5e926c31b940b9dd68e0d77e6097b5d7a937c8b0..ed3febb7a9cff54f9a9f74479b49196089b68037 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -2411,11 +2411,9 @@ CPDF_Stream* CPDF_SyntaxParser::ReadStream(CPDF_Dictionary* pDict, PARSE_CONTEXT
     if (pLenObj && ((pLenObj->GetType() != PDFOBJ_REFERENCE) ||
                     ((((CPDF_Reference*)pLenObj)->GetObjList() != NULL) &&
                      ((CPDF_Reference*)pLenObj)->GetRefObjNum() != objnum))) {
-        FX_FILESIZE pos = m_Pos;
         if (pLenObj) {
             len = pLenObj->GetInteger();
         }
-        m_Pos = pos;
         if (len > 0x40000000) {
             return NULL;
         }
@@ -2426,6 +2424,9 @@ CPDF_Stream* CPDF_SyntaxParser::ReadStream(CPDF_Dictionary* pDict, PARSE_CONTEXT
         pContext->m_DataStart = m_Pos;
     }
     m_Pos += len;
+    if (m_Pos >= m_FileLen) {

[jun_fang, 2014/07/08 17:37:11]

Type
m_Pos:     FX_FILESIZE -> FX_INT32->int
m_FileLen: FX_FILESIZE -> FX_INT32->int
at line 2410: FX_DWORD len = 0; FX_DWORD->unsigned int
at line 2426: m_Pos += len;

len's scope is larger than m_Pos and m_FileLen.

Suggestion:
change FX_DWORD to FX_FILESIZE at line 2410. 

[Robert Sesek, 2014/07/08 18:35:57]

Done, and Chris Palmer also suggested using CheckedNumeric because for a
sufficiently large value of |len|, it could still overflow.

+        return NULL;
+    }
     CPDF_CryptoHandler* pCryptoHandler = objnum == (FX_DWORD)m_MetadataObjnum ? NULL : m_pCryptoHandler;
     if (pCryptoHandler == NULL) {
         FX_FILESIZE SavedPos = m_Pos;