Fix a stack overflow in CPDF_Parser::LoadCrossRefV5
authorJUN FANG <jun_fang@foxitsoftware.com>
Fri, 10 Apr 2015 20:45:43 +0000 (13:45 -0700)
committerJUN FANG <jun_fang@foxitsoftware.com>
Fri, 10 Apr 2015 20:45:43 +0000 (13:45 -0700)
A stack overflow was triggered by checked_cast due to
invalid index in pdf files like 'Index[45 -1661]'.

BUG=473400
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1054303005

core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

index 592f24f..4be403b 100644 (file)
@@ -1039,7 +1039,11 @@ FX_BOOL CPDF_Parser::LoadCrossRefV5(FX_FILESIZE pos, FX_FILESIZE& prev, FX_BOOL
             CPDF_Object* pCountObj = pArray->GetElement(i * 2 + 1);
             if (pStartNumObj && pStartNumObj->GetType() == PDFOBJ_NUMBER
                 && pCountObj && pCountObj->GetType() == PDFOBJ_NUMBER) {
-                arrIndex.push_back(std::make_pair(pStartNumObj->GetInteger(), pCountObj->GetInteger()));
+                int nStartNum = pStartNumObj->GetInteger();
+                int nCount = pCountObj->GetInteger();
+                if (nStartNum >= 0 && nCount > 0) {
+                    arrIndex.push_back(std::make_pair(nStartNum, nCount));
+                }
             }
         }
     }