zhujingguang / pdfium

Automatically exported from code.google.com/p/pdfium
0 stars 0 forks source link

Infinite loop in CPDF_Parser::RebuildCrossRef() for files larger than 4GB. #74

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
The problem is the code at or around fpdf_parser_parser.cpp:

    while (pos < m_Syntax.m_FileLen) {
        FX_BOOL bOverFlow = FALSE;
        FX_DWORD size = (FX_DWORD)(m_Syntax.m_FileLen - pos);
        if (size > 4096) {
            size = 4096;
        }

pos and m_Syntax.m_FileLen are 64-bit off_t types, so once pos reaches the 
value of the bottom 32 bits of m_Syntax.m_FileLen, we truncate and assign 0 to 
|size|.  As such, we never advance, and pos will always be less than 
m_Syntax.m_FileLen.

Changing |size| to a 64-bit quantity solves the issue, since we bound it in the 
next line. 

Original issue reported on code.google.com by tsepez@chromium.org on 11 Nov 2014 at 10:50