Avoid out-of-bound access in CPDF_TextPageFind::FindNext()
Return false if `nStartPos` goes out of bounds. Update the relevant test
case now that the crash no longer occurs.
Bug: pdfium:2104
Change-Id: I401137d582f9d33b7d40245bbfdbee2b834255b9
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/114711
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/core/fpdftext/cpdf_textpagefind.cpp b/core/fpdftext/cpdf_textpagefind.cpp
index 0d9fb68..9d8a534 100644
--- a/core/fpdftext/cpdf_textpagefind.cpp
+++ b/core/fpdftext/cpdf_textpagefind.cpp
@@ -287,6 +287,9 @@
size_t index = bSpaceStart ? 1 : 0;
nStartPos = m_resStart + m_csFindWhatArray[index].GetLength();
}
+ if (nStartPos >= strLen) {
+ return false;
+ }
}
m_resEnd = nResultPos.value() + m_csFindWhatArray.back().GetLength() - 1;
if (m_options.bConsecutive) {
diff --git a/fpdfsdk/fpdf_text_embeddertest.cpp b/fpdfsdk/fpdf_text_embeddertest.cpp
index 425556a..8a57681 100644
--- a/fpdfsdk/fpdf_text_embeddertest.cpp
+++ b/fpdfsdk/fpdf_text_embeddertest.cpp
@@ -512,8 +512,7 @@
EXPECT_EQ(10, FPDFText_GetSchResultIndex(search.get()));
EXPECT_EQ(4, FPDFText_GetSchCount(search.get()));
- // TODO(crbug.com/pdfium/2104): Enable the code below. It should not crash.
- // EXPECT_FALSE(FPDFText_FindNext(search.get()));
+ EXPECT_FALSE(FPDFText_FindNext(search.get()));
}
UnloadPage(page);
