diff options
author | Lei Zhang <thestig@chromium.org> | 2022-07-12 18:52:14 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-08-08 15:23:57 +0000 |
commit | cd5579cf75189d03f6acb7dcbcdd13766dfe1259 (patch) | |
tree | 7a846f8c6d6a1ab5ce6b599eb501f92faaa96d4e | |
parent | 232367711b07476515a3a58c869b2f31046c93a1 (diff) | |
download | qtwebengine-chromium-cd5579cf75189d03f6acb7dcbcdd13766dfe1259.tar.gz |
[Backport] CVE-2022-2624: Heap buffer overflow in PDF
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3758626:
M104: Better define "first result" in PDFiumEngine::AddFindResult().
Currently, changing the PDF layout confuses AddFindResult() and causes
it to fail a DCHECK(). Adjust AddFindResult() to avoid the failing
DCHECK().
This is a cherry-pick of https://crrev.com/1021389 without the test
changes.
Bug: 1339745
Change-Id: I25c2b6b436700f9aeca4924fef662ad2909f0a8c
Reviewed-by: K. Moon <kmoon@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Cr-Commit-Position: refs/branch-heads/5112@{#820}
Cr-Branched-From: b13d3fe7b3c47a56354ef54b221008afa754412e-refs/heads/main@{#1012729}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/pdf/pdfium/pdfium_engine.cc | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/chromium/pdf/pdfium/pdfium_engine.cc b/chromium/pdf/pdfium/pdfium_engine.cc index 2b128d8fdde..01ca8304172 100644 --- a/chromium/pdf/pdfium/pdfium_engine.cc +++ b/chromium/pdf/pdfium/pdfium_engine.cc @@ -1980,7 +1980,7 @@ void PDFiumEngine::SearchUsingICU(const std::u16string& term, } void PDFiumEngine::AddFindResult(const PDFiumRange& result) { - bool first_result = find_results_.empty(); + bool first_result = find_results_.empty() && !resume_find_index_.has_value(); // Figure out where to insert the new location, since we could have // started searching midway and now we wrapped. size_t result_index; @@ -1997,7 +1997,6 @@ void PDFiumEngine::AddFindResult(const PDFiumRange& result) { UpdateTickMarks(); client_->NotifyNumberOfFindResultsChanged(find_results_.size(), false); if (first_result) { - DCHECK(!resume_find_index_); DCHECK(!current_find_index_); SelectFindResult(/*forward=*/true); } |