The problem is the code at or around fpdf_parser_parser.cpp:
while (pos < m_Syntax.m_FileLen) {
FX_BOOL bOverFlow = FALSE;
FX_DWORD size = (FX_DWORD)(m_Syntax.m_FileLen - pos);
if (size > 4096) {
size = 4096;
}
pos and m_Syntax.m_FileLen are 64-bit off_t types, so once pos reaches the
value of the bottom 32 bits of m_Syntax.m_FileLen, we truncate and assign 0 to
|size|. As such, we never advance, and pos will always be less than
m_Syntax.m_FileLen.
Changing |size| to a 64-bit quantity solves the issue, since we bound it in the
next line.
Original issue reported on code.google.com by tsepez@chromium.org on 11 Nov 2014 at 10:50
Original issue reported on code.google.com by
tsepez@chromium.orgon 11 Nov 2014 at 10:50