Google Git
Sign in
pdfium/pdfium/e7ee98e^!/.
commit
e7ee98e4c6fd56c9e930194e9fc11cc10e8293a1
[log] [tgz]
author
Chris Palmer <palmer@google.com>
Tue Jul 08 14:02:05 2014 -0700
committer
Chris Palmer <palmer@google.com>
Tue Jul 08 14:02:05 2014 -0700
tree
d783f4c78b85595a9dd72149f97e17310d2bf44d
parent
30f2ff16bf30ccaa66bb7e144873fc29b4bcbdc2 [diff]
Fix for UMR in CXML_Parser::GetCharRef.

BUG=387822
R=jun_fang@foxitsoftware.com

Review URL: https://codereview.chromium.org/367383002

diff --git a/AUTHORS b/AUTHORS
index 0bbf656..29bd399 100644
--- a/AUTHORS
+++ b/AUTHORS

@@ -22,6 +22,7 @@
 Nico Weber <thakis@chromium.org>
 Raymes Khoury <raymes@chromium.org>
 Reid Kleckner <rnk@chromium.org>
+Robert Sesek <rsesek@chromium.org>
 
 Foxit Software Inc <*@foxitsoftware.com>
 Google Inc. <*@google.com>

diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index 3bfd37f..9261177 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

@@ -7,6 +7,7 @@
 #include "../../../include/fpdfapi/fpdf_parser.h"
 #include "../../../include/fpdfapi/fpdf_module.h"
 #include "../../../include/fpdfapi/fpdf_page.h"
+#include "../../../../third_party/numerics/safe_math.h"
 #include "../fpdf_page/pageint.h"
 #include <limits.h>
 #define _PARSER_OBJECT_LEVLE_		64
@@ -2408,25 +2409,27 @@
         FX_DWORD objnum, FX_DWORD gennum)
 {
     CPDF_Object* pLenObj = pDict->GetElement(FX_BSTRC("Length"));
-    FX_DWORD len = 0;
+    FX_FILESIZE len = 0;
     if (pLenObj && ((pLenObj->GetType() != PDFOBJ_REFERENCE) ||
                     ((((CPDF_Reference*)pLenObj)->GetObjList() != NULL) &&
                      ((CPDF_Reference*)pLenObj)->GetRefObjNum() != objnum))) {
-        FX_FILESIZE pos = m_Pos;
-        if (pLenObj) {
-            len = pLenObj->GetInteger();
-        }
-        m_Pos = pos;
-        if (len > 0x40000000) {
-            return NULL;
-        }
+        len = pLenObj->GetInteger();
     }
+
     ToNextLine();
     FX_FILESIZE StreamStartPos = m_Pos;
     if (pContext) {
         pContext->m_DataStart = m_Pos;
     }
-    m_Pos += len;
+
+    base::CheckedNumeric<FX_FILESIZE> pos = m_Pos;
+    pos += len;
+    if (pos.IsValid() && pos.ValueOrDie() < m_FileLen) {
+        m_Pos = pos.ValueOrDie();
+    } else {
+        return NULL;
+    }
+
     CPDF_CryptoHandler* pCryptoHandler = objnum == (FX_DWORD)m_MetadataObjnum ? NULL : m_pCryptoHandler;
     if (pCryptoHandler == NULL) {
         FX_FILESIZE SavedPos = m_Pos;