Fix for UMR in CXML_Parser::GetCharRef.
authorChris Palmer <palmer@google.com>
Tue, 8 Jul 2014 21:02:05 +0000 (14:02 -0700)
committerChris Palmer <palmer@google.com>
Tue, 8 Jul 2014 21:02:05 +0000 (14:02 -0700)
BUG=387822
R=jun_fang@foxitsoftware.com

Review URL: https://codereview.chromium.org/367383002

AUTHORS
core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp

diff --git a/AUTHORS b/AUTHORS
index 0bbf656..29bd399 100644 (file)
--- a/AUTHORS
+++ b/AUTHORS
@@ -22,6 +22,7 @@ Michael Doppler <m.doppler@gmail.com>
 Nico Weber <thakis@chromium.org>
 Raymes Khoury <raymes@chromium.org>
 Reid Kleckner <rnk@chromium.org>
+Robert Sesek <rsesek@chromium.org>
 
 Foxit Software Inc <*@foxitsoftware.com>
 Google Inc. <*@google.com>
index 3bfd37f..9261177 100644 (file)
@@ -7,6 +7,7 @@
 #include "../../../include/fpdfapi/fpdf_parser.h"
 #include "../../../include/fpdfapi/fpdf_module.h"
 #include "../../../include/fpdfapi/fpdf_page.h"
+#include "../../../../third_party/numerics/safe_math.h"
 #include "../fpdf_page/pageint.h"
 #include <limits.h>
 #define _PARSER_OBJECT_LEVLE_          64
@@ -2408,25 +2409,27 @@ CPDF_Stream* CPDF_SyntaxParser::ReadStream(CPDF_Dictionary* pDict, PARSE_CONTEXT
         FX_DWORD objnum, FX_DWORD gennum)
 {
     CPDF_Object* pLenObj = pDict->GetElement(FX_BSTRC("Length"));
-    FX_DWORD len = 0;
+    FX_FILESIZE len = 0;
     if (pLenObj && ((pLenObj->GetType() != PDFOBJ_REFERENCE) ||
                     ((((CPDF_Reference*)pLenObj)->GetObjList() != NULL) &&
                      ((CPDF_Reference*)pLenObj)->GetRefObjNum() != objnum))) {
-        FX_FILESIZE pos = m_Pos;
-        if (pLenObj) {
-            len = pLenObj->GetInteger();
-        }
-        m_Pos = pos;
-        if (len > 0x40000000) {
-            return NULL;
-        }
+        len = pLenObj->GetInteger();
     }
+
     ToNextLine();
     FX_FILESIZE StreamStartPos = m_Pos;
     if (pContext) {
         pContext->m_DataStart = m_Pos;
     }
-    m_Pos += len;
+
+    base::CheckedNumeric<FX_FILESIZE> pos = m_Pos;
+    pos += len;
+    if (pos.IsValid() && pos.ValueOrDie() < m_FileLen) {
+        m_Pos = pos.ValueOrDie();
+    } else {
+        return NULL;
+    }
+
     CPDF_CryptoHandler* pCryptoHandler = objnum == (FX_DWORD)m_MetadataObjnum ? NULL : m_pCryptoHandler;
     if (pCryptoHandler == NULL) {
         FX_FILESIZE SavedPos = m_Pos;