diff options
| author | Sebastian Rasmussen <sebras@gmail.com> | 2012-07-26 01:04:39 +0200 |
|---|---|---|
| committer | Sebastian Rasmussen <sebras@gmail.com> | 2012-07-26 01:04:39 +0200 |
| commit | 94bbe3ca1dfe3fcbc24f7581e119d8e132430334 (patch) | |
| tree | 5e2f201b6a7a83e0616ba9603ec52ddf171bc7ec /pdf/pdf_xref.c | |
| parent | 50fb52b43ec34e9e4e5d6202669766ee9304c9a9 (diff) | |
| download | mupdf-94bbe3ca1dfe3fcbc24f7581e119d8e132430334.tar.xz | |
Gracefully handle negative offset and objects in object stream
Previously a negative offset of the first object in an object stream or
a negative number of objects in an object stream would cause a huge
allocation. Detect and throw exception on negative values.
Diffstat (limited to 'pdf/pdf_xref.c')
| -rw-r--r-- | pdf/pdf_xref.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c index 350249a3..23e4b79a 100644 --- a/pdf/pdf_xref.c +++ b/pdf/pdf_xref.c @@ -900,6 +900,11 @@ pdf_load_obj_stm(pdf_document *xref, int num, int gen, pdf_lexbuf *buf) count = pdf_to_int(pdf_dict_gets(objstm, "N")); first = pdf_to_int(pdf_dict_gets(objstm, "First")); + if (count < 0) + fz_throw(ctx, "negative number of objects in object stream"); + if (first < 0) + fz_throw(ctx, "first object in object stream resides outside stream"); + numbuf = fz_calloc(ctx, count, sizeof(int)); ofsbuf = fz_calloc(ctx, count, sizeof(int)); |