diff options
| author | Robin Watts <robin.watts@artifex.com> | 2013-01-04 16:19:02 +0000 |
|---|---|---|
| committer | Robin Watts <robin.watts@artifex.com> | 2013-01-11 15:34:07 +0000 |
| commit | 5ee271fd9c8b51b65d3e62a1eb47971adc090328 (patch) | |
| tree | 39fed8e4e3fbd10b5c13b6549e76ad844b7eab42 /pdf | |
| parent | 575d606b8ee1b1cac02be42ba237f1f959d419d8 (diff) | |
| download | mupdf-5ee271fd9c8b51b65d3e62a1eb47971adc090328.tar.xz | |
Bug 693503: Fix NULL dereference in atoi.
If a PDF xref subsection is broken in the wrong place, we can get
NULL back from fz_strsep, which causes a SEGV when fed to atoi.
Add a new fz_atoi that copes with NULL to avoid this.
Problem found in a test file, 3959.pdf.SIGSEGV.ad4.3289 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
Diffstat (limited to 'pdf')
| -rw-r--r-- | pdf/pdf_xref.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c index 6b5570f9..0e954c30 100644 --- a/pdf/pdf_xref.c +++ b/pdf/pdf_xref.c @@ -87,7 +87,7 @@ pdf_read_old_trailer(pdf_document *xref, pdf_lexbuf *buf) fz_strsep(&s, " "); /* ignore ofs */ if (!s) fz_throw(xref->ctx, "invalid range marker in xref"); - len = atoi(fz_strsep(&s, " ")); + len = fz_atoi(fz_strsep(&s, " ")); /* broken pdfs where the section is not on a separate line */ if (s && *s != '\0') @@ -210,8 +210,8 @@ pdf_read_old_xref(pdf_document *xref, pdf_lexbuf *buf) fz_read_line(xref->file, buf->scratch, buf->size); s = buf->scratch; - ofs = atoi(fz_strsep(&s, " ")); - len = atoi(fz_strsep(&s, " ")); + ofs = fz_atoi(fz_strsep(&s, " ")); + len = fz_atoi(fz_strsep(&s, " ")); /* broken pdfs where the section is not on a separate line */ if (s && *s != '\0') |