Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3120)

Unified Diff: core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

Issue 367383002: Fix for UMR in CXML_Parser::GetCharRef. (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master
Patch Set: AUTHORS Created 6 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « AUTHORS ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index 5e926c31b940b9dd68e0d77e6097b5d7a937c8b0..ed3febb7a9cff54f9a9f74479b49196089b68037 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -2411,11 +2411,9 @@ CPDF_Stream* CPDF_SyntaxParser::ReadStream(CPDF_Dictionary* pDict, PARSE_CONTEXT
if (pLenObj && ((pLenObj->GetType() != PDFOBJ_REFERENCE) ||
((((CPDF_Reference*)pLenObj)->GetObjList() != NULL) &&
((CPDF_Reference*)pLenObj)->GetRefObjNum() != objnum))) {
- FX_FILESIZE pos = m_Pos;
if (pLenObj) {
len = pLenObj->GetInteger();
}
- m_Pos = pos;
if (len > 0x40000000) {
return NULL;
}
@@ -2426,6 +2424,9 @@ CPDF_Stream* CPDF_SyntaxParser::ReadStream(CPDF_Dictionary* pDict, PARSE_CONTEXT
pContext->m_DataStart = m_Pos;
}
m_Pos += len;
+ if (m_Pos >= m_FileLen) {
jun_fang 2014/07/08 17:37:11 Type m_Pos: FX_FILESIZE -> FX_INT32->int m_Fil
Robert Sesek 2014/07/08 18:35:57 Done, and Chris Palmer also suggested using Checke
+ return NULL;
+ }
CPDF_CryptoHandler* pCryptoHandler = objnum == (FX_DWORD)m_MetadataObjnum ? NULL : m_pCryptoHandler;
if (pCryptoHandler == NULL) {
FX_FILESIZE SavedPos = m_Pos;
« no previous file with comments | « AUTHORS ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698