Bug 693503: Fix out of bounds memory access.

We failed to detect a PDF sample function with a size of 0 as being illegal. This lead us to continue through the code, and then access out of bounds. Issue found by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security Team using Address Sanitizer. Many thanks!
author: Robin Watts <robin.watts@artifex.com> 2012-12-14 14:39:10 +0000
committer: Robin Watts <robin.watts@artifex.com> 2012-12-14 14:45:30 +0000
commit: e5b92e02f0ffa72473d4324dbfc0aae50a064eb1 (patch)
tree: 5a39c73b321d8ee7495b92f0ed1fafc7d7e11c6c
parent: 25ee437eb784a8eb241b9463e79dad429b60e933 (diff)
download: mupdf-e5b92e02f0ffa72473d4324dbfc0aae50a064eb1.tar.xz
1 files changed, 2 insertions, 2 deletions
diff --git a/pdf/pdf_function.c b/pdf/pdf_function.c
index c9bbc5b5..781f1361 100644
--- a/pdf/pdf_function.c
+++ b/pdf/pdf_function.c
@@ -932,9 +932,9 @@ load_sample_func(pdf_function *func, pdf_document *xref, pdf_obj *dict, int num,
 	for (i = 0; i < func->m; i++)
 	{
 		func->u.sa.size[i] = pdf_to_int(pdf_array_get(obj, i));
-		if (func->u.sa.size[i] < 0)
+		if (func->u.sa.size[i] <= 0)
 		{
-			fz_warn(ctx, "negative sample function dimension size");
+			fz_warn(ctx, "non-positive sample function dimension size");
 			func->u.sa.size[i] = 1;
 		}
 	}
author	Robin Watts <robin.watts@artifex.com>	2012-12-14 14:39:10 +0000
committer	Robin Watts <robin.watts@artifex.com>	2012-12-14 14:45:30 +0000
commit	e5b92e02f0ffa72473d4324dbfc0aae50a064eb1 (patch)
tree	5a39c73b321d8ee7495b92f0ed1fafc7d7e11c6c
parent	25ee437eb784a8eb241b9463e79dad429b60e933 (diff)
download	mupdf-e5b92e02f0ffa72473d4324dbfc0aae50a064eb1.tar.xz