SIGABRT from attempted large memory allocation.

[GoogleCodeExporter]

# What steps will reproduce the problem?
1. Load the attached PDF (a.pdf) into Chrome/pdfium binary.
2. Chrome tab will show a crashed pdfium window.

# What is the expected output? What do you see instead?
It shouldn't crash. It should at least show a 'Failed to load PDF document' 
screen.

# What version of the product are you using? On what operating system?
Latest version of pdfium from source code and also tested on all Google Chrome 
versions.

# Please provide any additional information below.

The given PDF was generated from fuzzing attempts. 

The actual crash occurs in CPDF_SyntaxParser::ReadStream in 
fpdf_parser_parser.cpp. On the second use of this method, the `len` variable 
becomes an incredibly large value (~ 0xffffffffd8aaaaaa) and the FX_Alloc call 
on line 2470 tries to allocate this much memory. Obviously it cannot do this 
and fails.

`len` is assigned on line 2421 but I cannot find where the actual value comes 
from. Digging into GetInteger() reveals a bunch of buffer parsing etc so I'm 
guessing it happens here. During some tests, I noticed that the last half of 
the large value (0xd8aaaaaa in the example) would appear half way through 
parsing the values and then reappears later just before crashing.

Original issue reported on code.google.com by thisisda...@gmail.com on 8 Jul 2015 at 9:33

Attachments:

• a.pdf

[GoogleCodeExporter]

Thanks for the report.
https://pdfium.googlesource.com/pdfium/+/2526930205ca2ef0a06ec32644d41d4548d45d8
0 fixed this recently.

Original comment by thestig@chromium.org on 11 Aug 2015 at 10:24

• Changed state: Fixed