Bug 694127: Valgrind fix for pdf_decode_cmap

A poorly formed string can cause us to overrun the end of the buffer.
Now we check the end of the string at each stage to avoid this.

3 files changed, 8 insertions, 4 deletions

diff --git a/include/mupdf/pdf/cmap.h b/include/mupdf/pdf/cmap.h
index faa4a42c..590e4efa 100644
--- a/include/mupdf/pdf/cmap.h
+++ b/include/mupdf/pdf/cmap.h
@@ -63,7 +63,7 @@ void pdf_sort_cmap(fz_context *ctx, pdf_cmap *cmap);
 
 int pdf_lookup_cmap(pdf_cmap *cmap, int cpt);
 int pdf_lookup_cmap_full(pdf_cmap *cmap, int cpt, int *out);
-int pdf_decode_cmap(pdf_cmap *cmap, unsigned char *s, int *cpt);
+int pdf_decode_cmap(pdf_cmap *cmap, unsigned char *s, unsigned char *e, int *cpt);
 
 pdf_cmap *pdf_new_identity_cmap(fz_context *ctx, int wmode, int bytes);
 pdf_cmap *pdf_load_cmap(fz_context *ctx, fz_stream *file);
diff --git a/source/pdf/pdf-cmap.c b/source/pdf/pdf-cmap.c
index c006c6bb..a1f0b0b0 100644
--- a/source/pdf/pdf-cmap.c
+++ b/source/pdf/pdf-cmap.c
@@ -492,12 +492,16 @@ pdf_lookup_cmap_full(pdf_cmap *cmap, int cpt, int *out)
  * multi-byte encoded string.
  */
 int
-pdf_decode_cmap(pdf_cmap *cmap, unsigned char *buf, int *cpt)
+pdf_decode_cmap(pdf_cmap *cmap, unsigned char *buf, unsigned char *end, int *cpt)
 {
 	int k, n, c;
+	int len = end - buf;
+
+	if (len > 4)
+		len = 4;
 
 	c = 0;
-	for (n = 0; n < 4; n++)
+	for (n = 0; n < len; n++)
 	{
 		c = (c << 8) | buf[n];
 		for (k = 0; k < cmap->codespace_len; k++)
diff --git a/source/pdf/pdf-interpret.c b/source/pdf/pdf-interpret.c
index bfdf77ab..71dcbd4e 100644
--- a/source/pdf/pdf-interpret.c
+++ b/source/pdf/pdf-interpret.c
@@ -946,7 +946,7 @@ pdf_show_string(pdf_csi *csi, unsigned char *buf, int len)
 
 	while (buf < end)
 	{
-		int w = pdf_decode_cmap(fontdesc->encoding, buf, &cpt);
+		int w = pdf_decode_cmap(fontdesc->encoding, buf, end, &cpt);
 		buf += w;
 
 		cid = pdf_lookup_cmap(fontdesc->encoding, cpt);