Detect flate/runlength decompression bombs.

author: Tor Andersson <tor@ghostscript.com> 2010-11-12 12:58:22 +0000
committer: Tor Andersson <tor@ghostscript.com> 2010-11-12 12:58:22 +0000
commit: 3a5813b32f917c7668d663fd5cb7538251a23301 (patch)
tree: 1892f1ed94e2b9bae930a1e9b39b71b8e8439317
parent: 638f0fcd7638abfdd9275b3eccf84ededb971ce5 (diff)
download: mupdf-3a5813b32f917c7668d663fd5cb7538251a23301.tar.xz
2 files changed, 5 insertions, 0 deletions
diff --git a/fitz/stm_read.c b/fitz/stm_read.c
index 28a92f22..94b6d709 100644
--- a/fitz/stm_read.c
+++ b/fitz/stm_read.c
@@ -70,6 +70,9 @@ fz_readall(fz_buffer **bufp, fz_stream *stm, int initial)
 		if (buf->len == buf->cap)
 			fz_growbuffer(buf);
 
+		if (buf->len > initial * 100)
+			return fz_throw("compression bomb detected");
+
 		n = fz_read(stm, buf->data + buf->len, buf->cap - buf->len);
 		if (n < 0)
 		{
diff --git a/mupdf/pdf_stream.c b/mupdf/pdf_stream.c
index ff53f753..cae95a89 100644
--- a/mupdf/pdf_stream.c
+++ b/mupdf/pdf_stream.c
@@ -350,6 +350,8 @@ pdf_guessfilterlength(int len, char *filter)
 		return len * 4 / 5;
 	if (!strcmp(filter, "FlateDecode"))
 		return len * 3;
+	if (!strcmp(filter, "RunLengthDecode"))
+		return len * 3;
 	if (!strcmp(filter, "LZWDecode"))
 		return len * 2;
 	return len;
author	Tor Andersson <tor@ghostscript.com>	2010-11-12 12:58:22 +0000
committer	Tor Andersson <tor@ghostscript.com>	2010-11-12 12:58:22 +0000
commit	3a5813b32f917c7668d663fd5cb7538251a23301 (patch)
tree	1892f1ed94e2b9bae930a1e9b39b71b8e8439317
parent	638f0fcd7638abfdd9275b3eccf84ededb971ce5 (diff)
download	mupdf-3a5813b32f917c7668d663fd5cb7538251a23301.tar.xz