Do not add invalid objects to the cross reference table.
BUG=chromium:851994
Change-Id: I2e14401271c70afa204221e0f3d469f0b82ce8cf
Reviewed-on: https://pdfium-review.googlesource.com/37871
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Art Snake <art-snake@yandex-team.ru>
diff --git a/core/fpdfapi/parser/cpdf_cross_ref_table.cpp b/core/fpdfapi/parser/cpdf_cross_ref_table.cpp
index 4be9174..77c0e81 100644
--- a/core/fpdfapi/parser/cpdf_cross_ref_table.cpp
+++ b/core/fpdfapi/parser/cpdf_cross_ref_table.cpp
@@ -7,6 +7,7 @@
#include <utility>
#include "core/fpdfapi/parser/cpdf_dictionary.h"
+#include "core/fpdfapi/parser/cpdf_parser.h"
// static
std::unique_ptr<CPDF_CrossRefTable> CPDF_CrossRefTable::MergeUp(
@@ -31,6 +32,12 @@
void CPDF_CrossRefTable::AddCompressed(uint32_t obj_num,
uint32_t archive_obj_num) {
+ if (obj_num >= CPDF_Parser::kMaxObjectNumber ||
+ archive_obj_num >= CPDF_Parser::kMaxObjectNumber) {
+ NOTREACHED();
+ return;
+ }
+
auto& info = objects_info_[obj_num];
if (info.gennum > 0)
return;
@@ -48,6 +55,11 @@
void CPDF_CrossRefTable::AddNormal(uint32_t obj_num,
uint16_t gen_num,
FX_FILESIZE pos) {
+ if (obj_num >= CPDF_Parser::kMaxObjectNumber) {
+ NOTREACHED();
+ return;
+ }
+
auto& info = objects_info_[obj_num];
if (info.gennum > gen_num)
return;
@@ -63,6 +75,11 @@
}
void CPDF_CrossRefTable::SetFree(uint32_t obj_num) {
+ if (obj_num >= CPDF_Parser::kMaxObjectNumber) {
+ NOTREACHED();
+ return;
+ }
+
auto& info = objects_info_[obj_num];
info.type = ObjectType::kFree;
info.gennum = 0xFFFF;
diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp
index 54e0524..ecc0546 100644
--- a/core/fpdfapi/parser/cpdf_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_parser.cpp
@@ -777,7 +777,8 @@
}
}
}
- cross_ref_table->AddNormal(objnum, gennum, obj_pos);
+ if (objnum < kMaxObjectNumber)
+ cross_ref_table->AddNormal(objnum, gennum, obj_pos);
}
state = ParserState::kDefault;
break;
