Bug 693503: Fix NULL dereference in atoi.

If a PDF xref subsection is broken in the wrong place, we can get
NULL back from fz_strsep, which causes a SEGV when fed to atoi.

Add a new fz_atoi that copes with NULL to avoid this.

Problem found in a test file, 3959.pdf.SIGSEGV.ad4.3289 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!

3 files changed, 13 insertions, 3 deletions

diff --git a/fitz/base_string.c b/fitz/base_string.c
index fbb1cf4d..7385b500 100644
--- a/fitz/base_string.c
+++ b/fitz/base_string.c
@@ -255,3 +255,10 @@ float fz_atof(const char *s)
 	d = fz_clampd(d, -FLT_MAX, FLT_MAX);
 	return (float)d;
 }
+
+int fz_atoi(const char *s)
+{
+	if (s == NULL)
+		return 0;
+	return atoi(s);
+}
diff --git a/fitz/fitz-internal.h b/fitz/fitz-internal.h
index 58b77c94..e853188d 100644
--- a/fitz/fitz-internal.h
+++ b/fitz/fitz-internal.h
@@ -247,6 +247,9 @@ static inline float my_atan2f(float o, float a)
 /* Range checking atof */
 float fz_atof(const char *s);
 
+/* atoi that copes with NULL */
+int fz_atoi(const char *s);
+
 /*
  * Generic hash-table with fixed-length keys.
  */
diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c
index 6b5570f9..0e954c30 100644
--- a/pdf/pdf_xref.c
+++ b/pdf/pdf_xref.c
@@ -87,7 +87,7 @@ pdf_read_old_trailer(pdf_document *xref, pdf_lexbuf *buf)
 		fz_strsep(&s, " "); /* ignore ofs */
 		if (!s)
 			fz_throw(xref->ctx, "invalid range marker in xref");
-		len = atoi(fz_strsep(&s, " "));
+		len = fz_atoi(fz_strsep(&s, " "));
 
 		/* broken pdfs where the section is not on a separate line */
 		if (s && *s != '\0')
@@ -210,8 +210,8 @@ pdf_read_old_xref(pdf_document *xref, pdf_lexbuf *buf)
 
 		fz_read_line(xref->file, buf->scratch, buf->size);
 		s = buf->scratch;
-		ofs = atoi(fz_strsep(&s, " "));
-		len = atoi(fz_strsep(&s, " "));
+		ofs = fz_atoi(fz_strsep(&s, " "));
+		len = fz_atoi(fz_strsep(&s, " "));
 
 		/* broken pdfs where the section is not on a separate line */
 		if (s && *s != '\0')