Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(723)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

Issue 551503003: Check object type for objects used in the dictory of 'Index' (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master
Patch Set: Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 PDFium Authors. All rights reserved. 1 // Copyright 2014 PDFium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
6 6
7 #include "../../../include/fpdfapi/fpdf_parser.h" 7 #include "../../../include/fpdfapi/fpdf_parser.h"
8 #include "../../../include/fpdfapi/fpdf_module.h" 8 #include "../../../include/fpdfapi/fpdf_module.h"
9 #include "../../../include/fpdfapi/fpdf_page.h" 9 #include "../../../include/fpdfapi/fpdf_page.h"
10 #include "../../../../third_party/numerics/safe_math.h" 10 #include "../../../../third_party/numerics/safe_math.h"
11 #include "../fpdf_page/pageint.h" 11 #include "../fpdf_page/pageint.h"
12 #include <limits.h> 12 #include <utility>
13 #include <vector>
14
13 #define _PARSER_OBJECT_LEVLE_ 64 15 #define _PARSER_OBJECT_LEVLE_ 64
14 extern const FX_LPCSTR _PDF_CharType; 16 extern const FX_LPCSTR _PDF_CharType;
15 FX_BOOL IsSignatureDict(const CPDF_Dictionary* pDict) 17 FX_BOOL IsSignatureDict(const CPDF_Dictionary* pDict)
16 { 18 {
17 CPDF_Object* pType = pDict->GetElementValue(FX_BSTRC("Type")); 19 CPDF_Object* pType = pDict->GetElementValue(FX_BSTRC("Type"));
18 if (!pType) { 20 if (!pType) {
19 pType = pDict->GetElementValue(FX_BSTRC("FT")); 21 pType = pDict->GetElementValue(FX_BSTRC("FT"));
20 if (!pType) { 22 if (!pType) {
21 return FALSE; 23 return FALSE;
22 } 24 }
(...skipping 995 matching lines...) Expand 10 before | Expand all | Expand 10 after
1018 } 1020 }
1019 if (bMainXRef) { 1021 if (bMainXRef) {
1020 m_pTrailer = (CPDF_Dictionary*)pStream->GetDict()->Clone(); 1022 m_pTrailer = (CPDF_Dictionary*)pStream->GetDict()->Clone();
1021 m_CrossRef.SetSize(size); 1023 m_CrossRef.SetSize(size);
1022 if (m_V5Type.SetSize(size)) { 1024 if (m_V5Type.SetSize(size)) {
1023 FXSYS_memset32(m_V5Type.GetData(), 0, size); 1025 FXSYS_memset32(m_V5Type.GetData(), 0, size);
1024 } 1026 }
1025 } else { 1027 } else {
1026 m_Trailers.Add((CPDF_Dictionary*)pStream->GetDict()->Clone()); 1028 m_Trailers.Add((CPDF_Dictionary*)pStream->GetDict()->Clone());
1027 } 1029 }
1028 CFX_DWordArray IndexArray, WidthArray;
1029 FX_DWORD nSegs = 0; 1030 FX_DWORD nSegs = 0;
1031 std::vector <std::pair <FX_INT32, FX_INT32>> arrIndex;
1030 CPDF_Array* pArray = pStream->GetDict()->GetArray(FX_BSTRC("Index")); 1032 CPDF_Array* pArray = pStream->GetDict()->GetArray(FX_BSTRC("Index"));
1031 if (pArray == NULL) { 1033 if (pArray) {
1032 IndexArray.Add(0); 1034 FX_DWORD nPairSize = pArray->GetCount() / 2;
1033 IndexArray.Add(size); 1035 CPDF_Object* pStartNumObj = NULL;
1034 nSegs = 1; 1036 CPDF_Object* pCountObj = NULL;
1035 } else { 1037 for (FX_DWORD i = 0; i < nPairSize; i++) {
1036 for (FX_DWORD i = 0; i < pArray->GetCount(); i ++) { 1038 pStartNumObj = pArray->GetElement(i * 2);
1037 IndexArray.Add(pArray->GetInteger(i)); 1039 pCountObj = pArray->GetElement(i * 2 + 1);
1040 if (pStartNumObj && pStartNumObj->GetType() == PDFOBJ_NUMBER
1041 && pCountObj && pCountObj->GetType() == PDFOBJ_NUMBER) {
1042 arrIndex.push_back(std::make_pair(pStartNumObj->GetInteger(), pC ountObj->GetInteger()));
1043 }
1038 } 1044 }
1039 nSegs = pArray->GetCount() / 2; 1045 nSegs = arrIndex.size();
1046 if (nSegs == 0) {
1047 arrIndex.push_back(std::make_pair(0, size));
1048 nSegs = 1;
1049 }
1040 } 1050 }
1041 pArray = pStream->GetDict()->GetArray(FX_BSTRC("W")); 1051 pArray = pStream->GetDict()->GetArray(FX_BSTRC("W"));
1042 if (pArray == NULL) { 1052 if (pArray == NULL) {
1043 pStream->Release(); 1053 pStream->Release();
1044 return FALSE; 1054 return FALSE;
1045 } 1055 }
1046 FX_DWORD totalwidth = 0; 1056 CFX_DWordArray WidthArray;
1047 FX_DWORD i; 1057 FX_SAFE_DWORD dwAccWidth = 0;
1048 for (i = 0; i < pArray->GetCount(); i ++) { 1058 for (FX_DWORD i = 0; i < pArray->GetCount(); i ++) {
1049 WidthArray.Add(pArray->GetInteger(i)); 1059 WidthArray.Add(pArray->GetInteger(i));
1050 if (totalwidth + WidthArray[i] < totalwidth) { 1060 dwAccWidth += WidthArray[i];
1051 pStream->Release();
1052 return FALSE;
1053 }
1054 totalwidth += WidthArray[i];
1055 } 1061 }
1056 if (totalwidth == 0 || WidthArray.GetSize() < 3) { 1062 if (!dwAccWidth.IsValid() || WidthArray.GetSize() < 3) {
1057 pStream->Release(); 1063 pStream->Release();
1058 return FALSE; 1064 return FALSE;
1059 } 1065 }
1066 FX_DWORD totalWidth = dwAccWidth.ValueOrDie();
1060 CPDF_StreamAcc acc; 1067 CPDF_StreamAcc acc;
1061 acc.LoadAllData(pStream); 1068 acc.LoadAllData(pStream);
1062 FX_LPCBYTE pData = acc.GetData(); 1069 FX_LPCBYTE pData = acc.GetData();
1063 FX_DWORD dwTotalSize = acc.GetSize(); 1070 FX_DWORD dwTotalSize = acc.GetSize();
1064 FX_DWORD segindex = 0; 1071 FX_DWORD segindex = 0;
1065 for (i = 0; i < nSegs; i ++) { 1072 for (FX_DWORD i = 0; i < nSegs; i ++) {
1066 FX_INT32 startnum = IndexArray[i * 2]; 1073 FX_INT32 startnum = arrIndex[i].first;
1067 if (startnum < 0) { 1074 if (startnum < 0) {
1068 continue; 1075 continue;
1069 } 1076 }
1070 m_dwXrefStartObjNum = startnum; 1077 m_dwXrefStartObjNum = base::checked_cast<FX_DWORD, FX_INT32> (startnum);
1071 FX_DWORD count = IndexArray[i * 2 + 1]; 1078 FX_DWORD count = base::checked_cast<FX_DWORD, FX_INT32> (arrIndex[i].sec ond);
1072 if (segindex + count < segindex || segindex + count == 0 || 1079 FX_SAFE_DWORD dwCaculatedSize = segindex;
1073 (FX_DWORD)totalwidth >= UINT_MAX / (segindex + count) || (segind ex + count) * (FX_DWORD)totalwidth > dwTotalSize) { 1080 dwCaculatedSize += count;
1081 dwCaculatedSize *= totalWidth;
1082 if (!dwCaculatedSize.IsValid() || dwCaculatedSize.ValueOrDie() > dwTotal Size) {
1074 continue; 1083 continue;
1075 } 1084 }
1076 FX_LPCBYTE segstart = pData + segindex * (FX_DWORD)totalwidth; 1085 FX_LPCBYTE segstart = pData + segindex * totalWidth;
1077 if ((FX_DWORD)startnum + count < (FX_DWORD)startnum || 1086 FX_SAFE_DWORD dwMaxObjNum = startnum;
1078 (FX_DWORD)startnum + count > (FX_DWORD)m_V5Type.GetSize()) { 1087 dwMaxObjNum += count;
1088 FX_DWORD dwV5Size = base::checked_cast<FX_DWORD, FX_INT32> (m_V5Type.Get Size());
1089 if (!dwMaxObjNum.IsValid() || dwMaxObjNum.ValueOrDie() > dwV5Size) {
1079 continue; 1090 continue;
1080 } 1091 }
1081 for (FX_DWORD j = 0; j < count; j ++) { 1092 for (FX_DWORD j = 0; j < count; j ++) {
1082 FX_INT32 type = 1; 1093 FX_INT32 type = 1;
1083 FX_LPCBYTE entrystart = segstart + j * totalwidth; 1094 FX_LPCBYTE entrystart = segstart + j * totalWidth;
1084 if (WidthArray[0]) { 1095 if (WidthArray[0]) {
1085 type = _GetVarInt(entrystart, WidthArray[0]); 1096 type = _GetVarInt(entrystart, WidthArray[0]);
1086 } 1097 }
1087 if (m_V5Type[startnum + j] == 255) { 1098 if (m_V5Type[startnum + j] == 255) {
1088 FX_FILESIZE offset = _GetVarInt(entrystart + WidthArray[0], Widt hArray[1]); 1099 FX_FILESIZE offset = _GetVarInt(entrystart + WidthArray[0], Widt hArray[1]);
1089 m_CrossRef[startnum + j] = offset; 1100 m_CrossRef[startnum + j] = offset;
1090 FX_LPVOID pResult = FXSYS_bsearch(&offset, m_SortedOffset.GetDat a(), m_SortedOffset.GetSize(), sizeof(FX_FILESIZE), _CompareFileSize); 1101 FX_LPVOID pResult = FXSYS_bsearch(&offset, m_SortedOffset.GetDat a(), m_SortedOffset.GetSize(), sizeof(FX_FILESIZE), _CompareFileSize);
1091 if (pResult == NULL) { 1102 if (pResult == NULL) {
1092 m_SortedOffset.Add(offset); 1103 m_SortedOffset.Add(offset);
1093 } 1104 }
(...skipping 3331 matching lines...) Expand 10 before | Expand all | Expand 10 after
4425 { 4436 {
4426 FX_INT32 iSize = m_childNode.GetSize(); 4437 FX_INT32 iSize = m_childNode.GetSize();
4427 for (FX_INT32 i = 0; i < iSize; ++i) { 4438 for (FX_INT32 i = 0; i < iSize; ++i) {
4428 CPDF_PageNode *pNode = (CPDF_PageNode*)m_childNode[i]; 4439 CPDF_PageNode *pNode = (CPDF_PageNode*)m_childNode[i];
4429 if (pNode) { 4440 if (pNode) {
4430 delete pNode; 4441 delete pNode;
4431 } 4442 }
4432 } 4443 }
4433 m_childNode.RemoveAll(); 4444 m_childNode.RemoveAll();
4434 } 4445 }
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698