Bug 693503: Fix out of bounds memory access (fax decoder)

With illegal fax streams we could access beyond the right hand edge of the allocated line. Fix this by adding some simple checks. Issue found by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security Team using Address Sanitizer. Many thanks!
author: Robin Watts <robin.watts@artifex.com> 2012-12-14 15:26:30 +0000
committer: Robin Watts <robin.watts@artifex.com> 2012-12-14 15:28:33 +0000
commit: 56e922cc6655398689202c23fecb5cfafbe3a905 (patch)
tree: 8e6f995dae3fc740dcf60390f9894e717a5933e0 /fitz/filt_faxd.c
parent: e5b92e02f0ffa72473d4324dbfc0aae50a064eb1 (diff)
download: mupdf-56e922cc6655398689202c23fecb5cfafbe3a905.tar.xz
1 files changed, 4 insertions, 1 deletions
diff --git a/fitz/filt_faxd.c b/fitz/filt_faxd.c
index 421f4d5c..d5d636f6 100644
--- a/fitz/filt_faxd.c
+++ b/fitz/filt_faxd.c
@@ -248,7 +248,7 @@ nearend:
 static inline int
 find_changing_color(const unsigned char *line, int x, int w, int color)
 {
-	if (!line)
+	if (!line || x >= w)
 		return w;
 
 	x = find_changing(line, (x > 0 || !color) ? x : -1, w);
@@ -271,6 +271,9 @@ static inline void setbits(unsigned char *line, int x0, int x1)
 {
 	int a0, a1, b0, b1, a;
 
+	if (x1 <= x0)
+		return;
+
 	a0 = x0 >> 3;
 	a1 = x1 >> 3;
author	Robin Watts <robin.watts@artifex.com>	2012-12-14 15:26:30 +0000
committer	Robin Watts <robin.watts@artifex.com>	2012-12-14 15:28:33 +0000
commit	56e922cc6655398689202c23fecb5cfafbe3a905 (patch)
tree	8e6f995dae3fc740dcf60390f9894e717a5933e0 /fitz/filt_faxd.c
parent	e5b92e02f0ffa72473d4324dbfc0aae50a064eb1 (diff)
download	mupdf-56e922cc6655398689202c23fecb5cfafbe3a905.tar.xz