diff options
author | Robin Watts <robin.watts@artifex.com> | 2013-01-02 14:06:58 +0000 |
---|---|---|
committer | Robin Watts <robin.watts@artifex.com> | 2013-01-02 14:09:53 +0000 |
commit | 98cc01d82be792e600e13e88de9712fffa3240d5 (patch) | |
tree | d6b35bf7dd0f94e2e5f64ca88b970d05ffd38e01 /pdf | |
parent | 4d0ddfdc4922e15619809837a7d3d54421b1a2e0 (diff) | |
download | mupdf-98cc01d82be792e600e13e88de9712fffa3240d5.tar.xz |
Bug 693503: Fix overlong (seemingly infinite) loop of warnings.
When reading a CMAP with values out of range, we can go into a
very long loop emitting the same pair of warnings.
Spot the error case earlier and this give a nicer report.
Problem found in a test file, 3192.pdf.SIGSEGV.b0.2438 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
Diffstat (limited to 'pdf')
-rw-r--r-- | pdf/pdf_cmap_parse.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/pdf/pdf_cmap_parse.c b/pdf/pdf_cmap_parse.c index b482dcb5..cedbf2be 100644 --- a/pdf/pdf_cmap_parse.c +++ b/pdf/pdf_cmap_parse.c @@ -232,6 +232,11 @@ pdf_parse_bf_range(fz_context *ctx, pdf_cmap *cmap, fz_stream *file, pdf_lexbuf fz_throw(ctx, "expected string"); hi = pdf_code_from_string(buf->scratch, buf->len); + if (lo < 0 || lo > 65535 || hi < 0 || hi > 65535 || lo > hi) + { + fz_warn(ctx, "bf_range limits out of range in cmap %s", cmap->cmap_name); + return; + } tok = pdf_lex_cmap(file, buf); |