commit f3a3393a2f96bb8c4cc275ee67921e2b7bddf540
author Lei Zhang <thestig@chromium.org> Mon Aug 06 18:25:03 2018 +0000
committer Chromium commit bot <commit-bot@chromium.org> Mon Aug 06 18:25:03 2018 +0000
tree bd59ca037a1036ea5a1816deb14194adb03279d9
parent 29201324de188dc3f88d835a90af18e10f5ff868

Avoid invalid object numbers in CPDF_Parser::LoadCrossRefV5().

BUG=chromium:865272

Change-Id: I4606bdfd78ebd6553c36b985b4f49d07b579ac40
Reviewed-on: https://pdfium-review.googlesource.com/39438
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Art Snake <art-snake@yandex-team.ru>

core/fpdfapi/parser/cpdf_parser.cpp

diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp
index e070d2f..9bb9bf2 100644
--- a/core/fpdfapi/parser/cpdf_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_parser.cpp
@@ -757,14 +757,18 @@
       }
 
       const uint32_t objnum = startnum + i;
-      if (GetObjectType(objnum) == ObjectType::kNull) {
+      if (objnum >= CPDF_Parser::kMaxObjectNumber)
+        continue;
+
+      const ObjectType existing_type = GetObjectType(objnum);
+      if (existing_type == ObjectType::kNull) {
         uint32_t offset = GetVarInt(entrystart + WidthArray[0], WidthArray[1]);
         if (pdfium::base::IsValueInRangeForNumericType<FX_FILESIZE>(offset))
           m_CrossRefTable->AddNormal(objnum, 0, offset);
         continue;
       }
 
-      if (GetObjectType(objnum) != ObjectType::kFree)
+      if (existing_type != ObjectType::kFree)
         continue;
 
       if (type == ObjectType::kFree) {