Avoid invalid object numbers in CPDF_Parser::LoadCrossRefV5().
BUG=chromium:865272
Change-Id: I4606bdfd78ebd6553c36b985b4f49d07b579ac40
Reviewed-on: https://pdfium-review.googlesource.com/39438
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Art Snake <art-snake@yandex-team.ru>
diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp
index e070d2f..9bb9bf2 100644
--- a/core/fpdfapi/parser/cpdf_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_parser.cpp
@@ -757,14 +757,18 @@
}
const uint32_t objnum = startnum + i;
- if (GetObjectType(objnum) == ObjectType::kNull) {
+ if (objnum >= CPDF_Parser::kMaxObjectNumber)
+ continue;
+
+ const ObjectType existing_type = GetObjectType(objnum);
+ if (existing_type == ObjectType::kNull) {
uint32_t offset = GetVarInt(entrystart + WidthArray[0], WidthArray[1]);
if (pdfium::base::IsValueInRangeForNumericType<FX_FILESIZE>(offset))
m_CrossRefTable->AddNormal(objnum, 0, offset);
continue;
}
- if (GetObjectType(objnum) != ObjectType::kFree)
+ if (existing_type != ObjectType::kFree)
continue;
if (type == ObjectType::kFree) {