Found by inspection. This does not cause a problem in real life, since a code
search shows that this is only called with args of "obj", "endobj" and
"endstream", and none of these have the self-symmetry required to trigger the
issue.
Consider searching for "0001" against "00001" with:
FX_FILESIZE CPDF_SyntaxParser::FindTag(FX_BSTR tag, FX_FILESIZE limit)
{
FX_INT32 taglen = tag.GetLength();
FX_INT32 match = 0;
limit += m_Pos;
FX_FILESIZE startpos = m_Pos;
while (1) {
FX_BYTE ch;
if (!GetNextChar(ch)) {
return -1;
}
if (ch == tag[match]) {
match ++;
if (match == taglen) {
return m_Pos - startpos - taglen;
}
} else {
match = ch == tag[0] ? 1 : 0;
}
if (limit && m_Pos == limit) {
return -1;
}
}
return -1;
}
The recovery code at:
match = ch == tag[0] ? 1 : 0
is going to look for at most one previously-matched character, which is wrong
for the example above (but covers "endstream" against "endstrendstream").
Original issue reported on code.google.com by tsepez@chromium.org on 21 Oct 2014 at 11:20
Original issue reported on code.google.com by
tsepez@chromium.org
on 21 Oct 2014 at 11:20