Bug 693503: Fix SEGV during pdf function loading from broken file.

If the Function entry does not point to either a dictionary or an array, we should give up, otherwise we deference a NULL pointer. Problem found in a test file, 1013.pdf.SIGSEGV.8a7.18 supplied by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security Team using Address Sanitizer. Many thanks!
author: Robin Watts <robin.watts@artifex.com> 2013-01-02 16:24:38 +0000
committer: Robin Watts <robin.watts@artifex.com> 2013-01-03 13:05:26 +0000
commit: 13df8c72e4cdeb9860a377c6c8c5827440bede39 (patch)
tree: 40d2a72164f1456100319e0fada0b8153e71534b /pdf
parent: 9138958c4a887d25659f7baf87cf62b593e4fcbf (diff)
download: mupdf-13df8c72e4cdeb9860a377c6c8c5827440bede39.tar.xz
1 files changed, 5 insertions, 0 deletions
diff --git a/pdf/pdf_shade.c b/pdf/pdf_shade.c
index 4089bc02..95726975 100644
--- a/pdf/pdf_shade.c
+++ b/pdf/pdf_shade.c
@@ -405,6 +405,11 @@ pdf_load_shading_dict(pdf_document *xref, pdf_obj *dict, fz_matrix transform)
 					fz_throw(ctx, "cannot load shading function (%d %d R)", pdf_to_num(obj), pdf_to_gen(obj));
 			}
 		}
+		else if (type < 4)
+		{
+			/* Functions are compulsory for types 1,2,3 */
+			fz_throw(ctx, "cannot load shading function (%d %d R)", pdf_to_num(obj), pdf_to_gen(obj));
+		}
 
 		shade->type = type;
 		switch (type)
author	Robin Watts <robin.watts@artifex.com>	2013-01-02 16:24:38 +0000
committer	Robin Watts <robin.watts@artifex.com>	2013-01-03 13:05:26 +0000
commit	13df8c72e4cdeb9860a377c6c8c5827440bede39 (patch)
tree	40d2a72164f1456100319e0fada0b8153e71534b /pdf
parent	9138958c4a887d25659f7baf87cf62b593e4fcbf (diff)
download	mupdf-13df8c72e4cdeb9860a377c6c8c5827440bede39.tar.xz