diff options
author | Tor Andersson <tor@ghostscript.com> | 2010-11-12 12:58:22 +0000 |
---|---|---|
committer | Tor Andersson <tor@ghostscript.com> | 2010-11-12 12:58:22 +0000 |
commit | 3a5813b32f917c7668d663fd5cb7538251a23301 (patch) | |
tree | 1892f1ed94e2b9bae930a1e9b39b71b8e8439317 | |
parent | 638f0fcd7638abfdd9275b3eccf84ededb971ce5 (diff) | |
download | mupdf-3a5813b32f917c7668d663fd5cb7538251a23301.tar.xz |
Detect flate/runlength decompression bombs.
-rw-r--r-- | fitz/stm_read.c | 3 | ||||
-rw-r--r-- | mupdf/pdf_stream.c | 2 |
2 files changed, 5 insertions, 0 deletions
diff --git a/fitz/stm_read.c b/fitz/stm_read.c index 28a92f22..94b6d709 100644 --- a/fitz/stm_read.c +++ b/fitz/stm_read.c @@ -70,6 +70,9 @@ fz_readall(fz_buffer **bufp, fz_stream *stm, int initial) if (buf->len == buf->cap) fz_growbuffer(buf); + if (buf->len > initial * 100) + return fz_throw("compression bomb detected"); + n = fz_read(stm, buf->data + buf->len, buf->cap - buf->len); if (n < 0) { diff --git a/mupdf/pdf_stream.c b/mupdf/pdf_stream.c index ff53f753..cae95a89 100644 --- a/mupdf/pdf_stream.c +++ b/mupdf/pdf_stream.c @@ -350,6 +350,8 @@ pdf_guessfilterlength(int len, char *filter) return len * 4 / 5; if (!strcmp(filter, "FlateDecode")) return len * 3; + if (!strcmp(filter, "RunLengthDecode")) + return len * 3; if (!strcmp(filter, "LZWDecode")) return len * 2; return len; |