Bug 693503: Fix overlong (seemingly infinite) loop of warnings.

When reading a CMAP with values out of range, we can go into a very long loop emitting the same pair of warnings. Spot the error case earlier and this give a nicer report. Problem found in a test file, 3192.pdf.SIGSEGV.b0.2438 supplied by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security Team using Address Sanitizer. Many thanks!
author: Robin Watts <robin.watts@artifex.com> 2013-01-02 14:06:58 +0000
committer: Robin Watts <robin.watts@artifex.com> 2013-01-02 14:09:53 +0000
commit: 98cc01d82be792e600e13e88de9712fffa3240d5 (patch)
tree: d6b35bf7dd0f94e2e5f64ca88b970d05ffd38e01 /pdf
parent: 4d0ddfdc4922e15619809837a7d3d54421b1a2e0 (diff)
download: mupdf-98cc01d82be792e600e13e88de9712fffa3240d5.tar.xz
1 files changed, 5 insertions, 0 deletions
diff --git a/pdf/pdf_cmap_parse.c b/pdf/pdf_cmap_parse.c
index b482dcb5..cedbf2be 100644
--- a/pdf/pdf_cmap_parse.c
+++ b/pdf/pdf_cmap_parse.c
@@ -232,6 +232,11 @@ pdf_parse_bf_range(fz_context *ctx, pdf_cmap *cmap, fz_stream *file, pdf_lexbuf
 			fz_throw(ctx, "expected string");
 
 		hi = pdf_code_from_string(buf->scratch, buf->len);
+		if (lo < 0 || lo > 65535 || hi < 0 || hi > 65535 || lo > hi)
+		{
+			fz_warn(ctx, "bf_range limits out of range in cmap %s", cmap->cmap_name);
+			return;
+		}
 
 		tok = pdf_lex_cmap(file, buf);
author	Robin Watts <robin.watts@artifex.com>	2013-01-02 14:06:58 +0000
committer	Robin Watts <robin.watts@artifex.com>	2013-01-02 14:09:53 +0000
commit	98cc01d82be792e600e13e88de9712fffa3240d5 (patch)
tree	d6b35bf7dd0f94e2e5f64ca88b970d05ffd38e01 /pdf
parent	4d0ddfdc4922e15619809837a7d3d54421b1a2e0 (diff)
download	mupdf-98cc01d82be792e600e13e88de9712fffa3240d5.tar.xz