commit | 4a4498ac867ed5ac47e100648817bfc665f8064e | [log] [tgz] |
---|---|---|
author | Tom Sepez <tsepez@chromium.org> | Fri May 13 21:36:18 2022 +0000 |
committer | Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> | Fri May 13 21:36:18 2022 +0000 |
tree | 4d97cc4bc1e1a5c2db3b999c67a826721294c558 | |
parent | a607dd50d24e54eef404195cf49db0d56985a680 [diff] |
Add a second line of defense against negative offsets Make CPDF_ReadValidator::ReadBlockAtOffset return immediately in this case. Change-Id: I4db0a4a149831c0e22b5d37276ef515ab5aa1b5f Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/93614 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org>
diff --git a/core/fpdfapi/parser/cpdf_read_validator.cpp b/core/fpdfapi/parser/cpdf_read_validator.cpp index c02268f..47e113a 100644 --- a/core/fpdfapi/parser/cpdf_read_validator.cpp +++ b/core/fpdfapi/parser/cpdf_read_validator.cpp
@@ -57,6 +57,11 @@ bool CPDF_ReadValidator::ReadBlockAtOffset(void* buffer, FX_FILESIZE offset, size_t size) { + if (offset < 0) { + NOTREACHED(); + return false; + } + FX_SAFE_FILESIZE end_offset = offset; end_offset += size; if (!end_offset.IsValid() || end_offset.ValueOrDie() > file_size_)