Bug 693290: Various fixes found from fuzzing.

Thanks to zeniko for finding various problems and submitting a patch that fixes them. This commit covers the simpler issues from his patch; other commits will follow shortly. * Out of range LZW codes. * Buffer overflows and error handling in image_jpeg.c * Buffer overflows in tiff handling * buffer overflows in cmap parsing. * Potential double free in font handling. * Buffer overflow in pdf_form.c * use of uninitialised value in error case in pdf_image.c * NULL pointer dereference in xps_outline.c
author: Robin Watts <robin.watts@artifex.com> 2012-11-29 16:46:09 +0000
committer: Robin Watts <robin.watts@artifex.com> 2012-11-30 11:58:54 +0000
commit: a6b0a8273f2eb15fd5924501b6ad03e30f2c8d0a (patch)
tree: 9e9e7a38574202b8be01805806086cff0b6dab61 /fitz/filt_lzwd.c
parent: 6c0e38f0e19ef50a7951f082981fabd49f4bee9f (diff)
download: mupdf-a6b0a8273f2eb15fd5924501b6ad03e30f2c8d0a.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/fitz/filt_lzwd.c b/fitz/filt_lzwd.c
index b1aa4421..7b65fa28 100644
--- a/fitz/filt_lzwd.c
+++ b/fitz/filt_lzwd.c
@@ -99,6 +99,10 @@ read_lzwd(fz_stream *stm, unsigned char *buf, int len)
 		{
 			old_code = code;
 		}
+		else if (code > next_code || next_code >= NUM_CODES)
+		{
+			fz_warn(stm->ctx, "out of range code encountered in lzw decode");
+		}
 		else
 		{
 			/* add new entry to the code table */
author	Robin Watts <robin.watts@artifex.com>	2012-11-29 16:46:09 +0000
committer	Robin Watts <robin.watts@artifex.com>	2012-11-30 11:58:54 +0000
commit	a6b0a8273f2eb15fd5924501b6ad03e30f2c8d0a (patch)
tree	9e9e7a38574202b8be01805806086cff0b6dab61 /fitz/filt_lzwd.c
parent	6c0e38f0e19ef50a7951f082981fabd49f4bee9f (diff)
download	mupdf-a6b0a8273f2eb15fd5924501b6ad03e30f2c8d0a.tar.xz