Do not add invalid objects to the cross reference table. BUG=chromium:851994 Change-Id: I2e14401271c70afa204221e0f3d469f0b82ce8cf Reviewed-on: https://pdfium-review.googlesource.com/37871 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Art Snake <art-snake@yandex-team.ru>
diff --git a/core/fpdfapi/parser/cpdf_cross_ref_table.cpp b/core/fpdfapi/parser/cpdf_cross_ref_table.cpp index 4be9174..77c0e81 100644 --- a/core/fpdfapi/parser/cpdf_cross_ref_table.cpp +++ b/core/fpdfapi/parser/cpdf_cross_ref_table.cpp
@@ -7,6 +7,7 @@ #include <utility> #include "core/fpdfapi/parser/cpdf_dictionary.h" +#include "core/fpdfapi/parser/cpdf_parser.h" // static std::unique_ptr<CPDF_CrossRefTable> CPDF_CrossRefTable::MergeUp( @@ -31,6 +32,12 @@ void CPDF_CrossRefTable::AddCompressed(uint32_t obj_num, uint32_t archive_obj_num) { + if (obj_num >= CPDF_Parser::kMaxObjectNumber || + archive_obj_num >= CPDF_Parser::kMaxObjectNumber) { + NOTREACHED(); + return; + } + auto& info = objects_info_[obj_num]; if (info.gennum > 0) return; @@ -48,6 +55,11 @@ void CPDF_CrossRefTable::AddNormal(uint32_t obj_num, uint16_t gen_num, FX_FILESIZE pos) { + if (obj_num >= CPDF_Parser::kMaxObjectNumber) { + NOTREACHED(); + return; + } + auto& info = objects_info_[obj_num]; if (info.gennum > gen_num) return; @@ -63,6 +75,11 @@ } void CPDF_CrossRefTable::SetFree(uint32_t obj_num) { + if (obj_num >= CPDF_Parser::kMaxObjectNumber) { + NOTREACHED(); + return; + } + auto& info = objects_info_[obj_num]; info.type = ObjectType::kFree; info.gennum = 0xFFFF;
diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp index 54e0524..ecc0546 100644 --- a/core/fpdfapi/parser/cpdf_parser.cpp +++ b/core/fpdfapi/parser/cpdf_parser.cpp
@@ -777,7 +777,8 @@ } } } - cross_ref_table->AddNormal(objnum, gennum, obj_pos); + if (objnum < kMaxObjectNumber) + cross_ref_table->AddNormal(objnum, gennum, obj_pos); } state = ParserState::kDefault; break;