0

Fix buffer overrun in PDF accessibility code.

GetTextRunInfo scans until it finds the start of the next text run,
then increments the character index by 1 in order to scan to the end of
the text run. That was resulting in a buffer ovverun if the first scan
reached the end of the array of characters without finding a non-whitespace
character. Fix it by ensuring we never increment past the char count.

BUG=668724

Review-Url: https://codereview.chromium.org/2650513002
Cr-Commit-Position: refs/heads/master@{#447344}
This commit is contained in:
dmazzoni
2017-01-31 14:12:33 -08:00
committed by Commit bot
parent 2ed48364ed
commit e4e4b01400
2 changed files with 17 additions and 1 deletions
chrome/browser/pdf
pdf/pdfium

@ -742,6 +742,21 @@ IN_PROC_BROWSER_TEST_F(PDFExtensionTest, PdfAccessibilityInOOPIF) {
ASSERT_MULTILINE_STREQ(kExpectedPDFAXTree, ax_tree_dump);
}
#if defined(GOOGLE_CHROME_BUILD)
// Test a particular PDF encountered in the wild that triggered a crash
// when accessibility is enabled. (http://crbug.com/668724)
IN_PROC_BROWSER_TEST_F(PDFExtensionTest, PdfAccessibilityTextRunCrash) {
content::BrowserAccessibilityState::GetInstance()->EnableAccessibility();
GURL test_pdf_url(embedded_test_server()->GetURL(
"/pdf_private/accessibility_crash_2.pdf"));
content::WebContents* guest_contents = LoadPdfGetGuestContents(test_pdf_url);
ASSERT_TRUE(guest_contents);
WaitForAccessibilityTreeToContainNodeWithName(guest_contents, "Page 1");
}
#endif
IN_PROC_BROWSER_TEST_F(PDFExtensionTest, LinkCtrlLeftClick) {
host_resolver()->AddRule("www.example.com", "127.0.0.1");
GURL test_pdf_url(embedded_test_server()->GetURL("/pdf/test-link.pdf"));

@ -180,7 +180,8 @@ void PDFiumPage::GetTextRunInfo(int start_char_index,
int text_run_font_size = FPDFText_GetFontSize(text_page, char_index);
pp::FloatRect text_run_bounds =
GetFloatCharRectInPixels(page, text_page, char_index);
char_index++;
if (char_index < chars_count)
char_index++;
while (char_index < chars_count) {
unsigned int character = FPDFText_GetUnicode(text_page, char_index);