zhujingguang / pdfium

Automatically exported from code.google.com/p/pdfium
0 stars 0 forks source link

CPDF_SyntaxParser::FindTag() might give wrong result for some input cases. #59

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Found by inspection.  This does not cause a problem in real life, since a code 
search shows that this is only called with args of "obj", "endobj" and 
"endstream", and none of these have the self-symmetry required to trigger the 
issue. 

Consider searching for "0001" against "00001" with:

FX_FILESIZE CPDF_SyntaxParser::FindTag(FX_BSTR tag, FX_FILESIZE limit)
{
    FX_INT32 taglen = tag.GetLength();
    FX_INT32 match = 0;
    limit += m_Pos;
    FX_FILESIZE startpos = m_Pos;
    while (1) {
        FX_BYTE ch;
        if (!GetNextChar(ch)) {
            return -1;
        }
        if (ch == tag[match]) {
            match ++;
            if (match == taglen) {
                return m_Pos - startpos - taglen;
            }
        } else {
            match = ch == tag[0] ? 1 : 0;
        }
        if (limit && m_Pos == limit) {
            return -1;
        }
    }
    return -1;
}

The recovery code at:
  match = ch == tag[0] ? 1 : 0

is going to look for at most one previously-matched character, which is wrong 
for the example above (but covers "endstream" against "endstrendstream"). 

Original issue reported on code.google.com by tsepez@chromium.org on 21 Oct 2014 at 11:20