Check for bad values of startxref.
The startxref value should not point into the PDF file header.
BUG=chromium:913960
Change-Id: Id1bcf9c0dafa8853f2dda5564e8b5d6407fe4bd8
Reviewed-on: https://pdfium-review.googlesource.com/c/47351
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp
index 08d5a33..dd885bc 100644
--- a/core/fpdfapi/parser/cpdf_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_parser.cpp
@@ -166,8 +166,7 @@
bool bXRefRebuilt = false;
m_LastXRefOffset = ParseStartXRef();
-
- if (m_LastXRefOffset > 0) {
+ if (m_LastXRefOffset >= kPDFHeaderSize) {
if (!LoadAllCrossRefV4(m_LastXRefOffset) &&
!LoadAllCrossRefV5(m_LastXRefOffset)) {
if (!RebuildCrossRef())
diff --git a/core/fpdfapi/parser/cpdf_parser.h b/core/fpdfapi/parser/cpdf_parser.h
index 6d0b9b5..f0d497b 100644
--- a/core/fpdfapi/parser/cpdf_parser.h
+++ b/core/fpdfapi/parser/cpdf_parser.h
@@ -125,6 +125,7 @@
std::unique_ptr<CPDF_SyntaxParser> m_pSyntax;
private:
+ friend class cpdf_parser_BadStartXrefShouldNotBuildCrossRefTable_Test;
friend class cpdf_parser_ParseStartXRefWithHeaderOffset_Test;
friend class cpdf_parser_ParseStartXRef_Test;
friend class cpdf_parser_ParseLinearizedWithHeaderOffset_Test;
diff --git a/core/fpdfapi/parser/cpdf_parser_unittest.cpp b/core/fpdfapi/parser/cpdf_parser_unittest.cpp
index 7012bd6..d7f96b8 100644
--- a/core/fpdfapi/parser/cpdf_parser_unittest.cpp
+++ b/core/fpdfapi/parser/cpdf_parser_unittest.cpp
@@ -284,3 +284,20 @@
EXPECT_TRUE(parser.ParseLinearizedHeader());
}
+
+TEST(cpdf_parser, BadStartXrefShouldNotBuildCrossRefTable) {
+ const unsigned char kData[] =
+ "%PDF1-7 0 obj <</Size 2 /W [0 0 0]\n>>\n"
+ "stream\n"
+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n"
+ "endstream\n"
+ "endobj\n"
+ "startxref\n"
+ "6\n"
+ "%%EOF\n";
+ CPDF_TestParser parser;
+ ASSERT_TRUE(parser.InitTestFromBuffer(kData));
+ EXPECT_EQ(CPDF_Parser::FORMAT_ERROR, parser.StartParseInternal());
+ ASSERT_TRUE(parser.GetCrossRefTable());
+ EXPECT_EQ(0u, parser.GetCrossRefTable()->objects_info().size());
+}
