From 4b1a72ff7a0d8517225bd59f970e119cc43bc7f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian=20Offenh=C3=A4user?= Date: Thu, 10 Nov 2022 23:03:33 +0100 Subject: LibPDF: Fix loop condition in parse_xref_stream() We previously compared two unrelated values to determine if we parsed the xref table to completion. We now check if we added every subsection instead, and double check to make sure we never read past the end. --- Userland/Libraries/LibPDF/DocumentParser.cpp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'Userland/Libraries') diff --git a/Userland/Libraries/LibPDF/DocumentParser.cpp b/Userland/Libraries/LibPDF/DocumentParser.cpp index 3c7598be0b..3b40fd1eb4 100644 --- a/Userland/Libraries/LibPDF/DocumentParser.cpp +++ b/Userland/Libraries/LibPDF/DocumentParser.cpp @@ -328,10 +328,14 @@ PDFErrorOr> DocumentParser::parse_xref_stream() Vector entries; - for (int entry_index = 0; entry_index < highest_object_number; ++entry_index) { + for (int entry_index = 0; subsection_index < subsections.size(); ++entry_index) { Array fields; for (size_t field_index = 0; field_index < 3; ++field_index) { auto field_size = field_sizes->at(field_index).get_u32(); + + if (byte_index + field_size > stream->bytes().size()) + return error("The xref stream data cut off early"); + auto field = stream->bytes().slice(byte_index, field_size); fields[field_index] = field_to_long(field); byte_index += field_size; @@ -343,9 +347,6 @@ PDFErrorOr> DocumentParser::parse_xref_stream() entries.append({ fields[1], static_cast(fields[2]), type != 0, type == 2 }); - if (subsection_index >= subsections.size()) - break; - auto subsection = subsections[subsection_index]; if (entry_index >= subsection.get<1>()) { table->add_section({ subsection.get<0>(), subsection.get<1>(), entries }); -- cgit v1.2.3