Fix comparisons against `kMaxXRefSize`
Make the comparisons for `kMaxXRefSize` consistent with the comparisons
for `kMaxObjectNumber`.
Change-Id: I6b67bca07559243e1ad32e3757767b4fa4331d60
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/135491
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp
index 97a17cc..ec6d99f 100644
--- a/core/fpdfapi/parser/cpdf_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_parser.cpp
@@ -415,7 +415,7 @@
cross_ref_table_->SetTrailer(std::move(trailer), kNoTrailerObjectNumber);
const int32_t xrefsize = GetTrailer()->GetDirectIntegerFor("Size");
- if (xrefsize > 0 && xrefsize <= kMaxXRefSize) {
+ if (xrefsize > 0 && xrefsize < kMaxXRefSize) {
cross_ref_table_->SetObjectMapSize(xrefsize);
}
}
@@ -559,7 +559,7 @@
return false;
}
- if (new_size.ValueOrDie() > kMaxXRefSize) {
+ if (new_size.ValueOrDie() >= kMaxXRefSize) {
return false;
}
@@ -913,11 +913,11 @@
// also ignores incorrect size in trailers for cross reference tables.
const uint32_t current_size =
cross_ref_table_->objects_info().empty() ? 0 : GetLastObjNum() + 1;
- // So allow `new_size` to be greater than `current_size`, but avoid going
- // over `kMaxXRefSize`. This works just fine because the loop below checks
+ // So allow `new_size` to be greater than `current_size`, but avoid reaching
+ // `kMaxXRefSize`. This works just fine because the loop below checks
// against `kMaxObjectNumber`, and the two "max" constants are in sync.
const uint32_t new_size =
- std::min<uint32_t>(safe_new_size.ValueOrDie(), kMaxXRefSize);
+ std::min<uint32_t>(safe_new_size.ValueOrDie(), kMaxXRefSize - 1);
if (new_size > current_size) {
cross_ref_table_->SetObjectMapSize(new_size);
}
