Google Git
Sign in
pdfium/pdfium.git/902c20e39cc2a6bc29c100283723d87a1a05785a^!/.
commit
902c20e39cc2a6bc29c100283723d87a1a05785a
[log]
author
Lei Zhang <thestig@chromium.org>
Mon Dec 17 18:18:39 2018 +0000
committer
Chromium commit bot <commit-bot@chromium.org>
Mon Dec 17 18:18:39 2018 +0000
tree
9bb3a752162d7a6283a221cb1e0290363e737f70
parent
a0c36804be26e4e41bd058123b7a594bb0bb836f [diff]
Check for bad values of startxref.

The startxref value should not point into the PDF file header.

BUG=chromium:913960

Change-Id: Id1bcf9c0dafa8853f2dda5564e8b5d6407fe4bd8
Reviewed-on: https://pdfium-review.googlesource.com/c/47351
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp
index 08d5a33..dd885bc 100644
--- a/core/fpdfapi/parser/cpdf_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_parser.cpp

@@ -166,8 +166,7 @@
   bool bXRefRebuilt = false;
 
   m_LastXRefOffset = ParseStartXRef();
-
-  if (m_LastXRefOffset > 0) {
+  if (m_LastXRefOffset >= kPDFHeaderSize) {
     if (!LoadAllCrossRefV4(m_LastXRefOffset) &&
         !LoadAllCrossRefV5(m_LastXRefOffset)) {
       if (!RebuildCrossRef())

diff --git a/core/fpdfapi/parser/cpdf_parser.h b/core/fpdfapi/parser/cpdf_parser.h
index 6d0b9b5..f0d497b 100644
--- a/core/fpdfapi/parser/cpdf_parser.h
+++ b/core/fpdfapi/parser/cpdf_parser.h

@@ -125,6 +125,7 @@
   std::unique_ptr<CPDF_SyntaxParser> m_pSyntax;
 
  private:
+  friend class cpdf_parser_BadStartXrefShouldNotBuildCrossRefTable_Test;
   friend class cpdf_parser_ParseStartXRefWithHeaderOffset_Test;
   friend class cpdf_parser_ParseStartXRef_Test;
   friend class cpdf_parser_ParseLinearizedWithHeaderOffset_Test;

diff --git a/core/fpdfapi/parser/cpdf_parser_unittest.cpp b/core/fpdfapi/parser/cpdf_parser_unittest.cpp
index 7012bd6..d7f96b8 100644
--- a/core/fpdfapi/parser/cpdf_parser_unittest.cpp
+++ b/core/fpdfapi/parser/cpdf_parser_unittest.cpp

@@ -284,3 +284,20 @@
 
   EXPECT_TRUE(parser.ParseLinearizedHeader());
 }
+
+TEST(cpdf_parser, BadStartXrefShouldNotBuildCrossRefTable) {
+  const unsigned char kData[] =
+      "%PDF1-7 0 obj <</Size 2 /W [0 0 0]\n>>\n"
+      "stream\n"
+      "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n"
+      "endstream\n"
+      "endobj\n"
+      "startxref\n"
+      "6\n"
+      "%%EOF\n";
+  CPDF_TestParser parser;
+  ASSERT_TRUE(parser.InitTestFromBuffer(kData));
+  EXPECT_EQ(CPDF_Parser::FORMAT_ERROR, parser.StartParseInternal());
+  ASSERT_TRUE(parser.GetCrossRefTable());
+  EXPECT_EQ(0u, parser.GetCrossRefTable()->objects_info().size());
+}