diff options
| author | Tor Andersson <tor.andersson@artifex.com> | 2016-12-28 13:20:16 +0100 |
|---|---|---|
| committer | Tor Andersson <tor.andersson@artifex.com> | 2017-01-09 13:21:40 +0100 |
| commit | 7a439812b2226c1e3b203ec603f05b39d159f91e (patch) | |
| tree | 527c9875c6befd905ffba752079c51c0799a8d7a | |
| parent | bbcc85a9f746c161b2e23c6057e69ec7b967252b (diff) | |
| download | mupdf-7a439812b2226c1e3b203ec603f05b39d159f91e.tar.xz | |
Fix potential buffer overrun when decoding UTF-16 in XML parser.
| -rw-r--r-- | include/mupdf/fitz/string.h | 5 | ||||
| -rw-r--r-- | source/fitz/xml.c | 4 |
2 files changed, 7 insertions, 2 deletions
diff --git a/include/mupdf/fitz/string.h b/include/mupdf/fitz/string.h index 358701d1..c9c20c3d 100644 --- a/include/mupdf/fitz/string.h +++ b/include/mupdf/fitz/string.h @@ -80,6 +80,11 @@ void fz_format_output_path(fz_context *ctx, char *path, size_t size, const char char *fz_cleanname(char *name); /* + FZ_UTFMAX: Maximum number of bytes in a decoded rune (maximum length returned by fz_chartorune). +*/ +enum { FZ_UTFMAX = 4 }; + +/* fz_chartorune: UTF8 decode a single rune from a sequence of chars. rune: Pointer to an int to assign the decoded 'rune' to. diff --git a/source/fitz/xml.c b/source/fitz/xml.c index 47b9461b..d063ee33 100644 --- a/source/fitz/xml.c +++ b/source/fitz/xml.c @@ -593,7 +593,7 @@ static char *convert_to_utf8(fz_context *doc, unsigned char *s, size_t n, int *d if (s[0] == 0xFE && s[1] == 0xFF) { s += 2; - dst = d = fz_malloc(doc, n * 2); + dst = d = fz_malloc(doc, n * FZ_UTFMAX); while (s + 1 < e) { c = s[0] << 8 | s[1]; d += fz_runetochar(d, c); @@ -606,7 +606,7 @@ static char *convert_to_utf8(fz_context *doc, unsigned char *s, size_t n, int *d if (s[0] == 0xFF && s[1] == 0xFE) { s += 2; - dst = d = fz_malloc(doc, n * 2); + dst = d = fz_malloc(doc, n * FZ_UTFMAX); while (s + 1 < e) { c = s[0] | s[1] << 8; d += fz_runetochar(d, c); |