Add upper bound on size of sampled pdf functions

Previously sampled pdf functions having an overflow in the number of samples were never caught until the memory allocator was triggered. Now there is an upper bound of 100Mbyte (the same as for fz_read_all()).
author: Sebastian Rasmussen <sebras@gmail.com> 2012-07-20 02:30:42 +0200
committer: Tor Andersson <tor.andersson@artifex.com> 2012-07-24 11:29:35 +0200
commit: 09241153b143eb35eb59c618759c5db9d114ebd1 (patch)
tree: 5b9f85b4a5fe633b295a838e17ce4d997c03a7c3 /pdf/pdf_function.c
parent: bbd633a8819f4494e2b4fb10f177fc91bbf38e52 (diff)
download: mupdf-09241153b143eb35eb59c618759c5db9d114ebd1.tar.xz
1 files changed, 5 insertions, 0 deletions
diff --git a/pdf/pdf_function.c b/pdf/pdf_function.c
index 4825afd4..09002ad0 100644
--- a/pdf/pdf_function.c
+++ b/pdf/pdf_function.c
@@ -916,6 +916,8 @@ eval_postscript_func(fz_context *ctx, pdf_function *func, float *in, float *out)
  * Sample function
  */
 
+#define MAX_SAMPLE_FUNCTION_SIZE (100 << 20)
+
 static void
 load_sample_func(pdf_function *func, pdf_document *xref, pdf_obj *dict, int num, int gen)
 {
@@ -981,6 +983,9 @@ load_sample_func(pdf_function *func, pdf_document *xref, pdf_obj *dict, int num,
 	for (i = 0, samplecount = func->n; i < func->m; i++)
 		samplecount *= func->u.sa.size[i];
 
+	if (samplecount > MAX_SAMPLE_FUNCTION_SIZE)
+		fz_throw(ctx, "sample function too large");
+
 	func->u.sa.samples = fz_malloc_array(ctx, samplecount, sizeof(float));
 	func->size += samplecount * sizeof(float);
author	Sebastian Rasmussen <sebras@gmail.com>	2012-07-20 02:30:42 +0200
committer	Tor Andersson <tor.andersson@artifex.com>	2012-07-24 11:29:35 +0200
commit	09241153b143eb35eb59c618759c5db9d114ebd1 (patch)
tree	5b9f85b4a5fe633b295a838e17ce4d997c03a7c3 /pdf/pdf_function.c
parent	bbd633a8819f4494e2b4fb10f177fc91bbf38e52 (diff)
download	mupdf-09241153b143eb35eb59c618759c5db9d114ebd1.tar.xz