sanitize number of columns in fz_open_faxd

If columns is quite close to INT_MAX, the column index max overflow in find_changing which causes an access violation in the next getbits. This happens e.g. with 0c76a20163f30ea8ec860c4e588ce337_signal_sigsegv_5e7b28_9115_7127.pdf
author: Simon Bünzli <zeniko@gmail.com> 2014-01-08 16:47:34 +0100
committer: Robin Watts <robin.watts@artifex.com> 2014-01-08 17:55:06 +0000
commit: c8f982de83a6d98274b9ca85a5767cd3d13c9373 (patch)
tree: 4feda2f9b4e23502b4464c040ab88a17d35b4835 /source/fitz/filter-fax.c
parent: 7e2fd58613a92dfd94550e35cfede9fa5b714e7f (diff)
download: mupdf-c8f982de83a6d98274b9ca85a5767cd3d13c9373.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/source/fitz/filter-fax.c b/source/fitz/filter-fax.c
index e0aa781d..7b35c812 100644
--- a/source/fitz/filter-fax.c
+++ b/source/fitz/filter-fax.c
@@ -780,6 +780,9 @@ fz_open_faxd(fz_stream *chain,
 
 	fz_try(ctx)
 	{
+		if (columns < 0 || columns >= INT_MAX - 7)
+			fz_throw(ctx, FZ_ERROR_GENERIC, "too many columns lead to an integer overflow (%d)", columns);
+
 		fax = fz_malloc_struct(ctx, fz_faxd);
 		fax->chain = chain;
author	Simon Bünzli <zeniko@gmail.com>	2014-01-08 16:47:34 +0100
committer	Robin Watts <robin.watts@artifex.com>	2014-01-08 17:55:06 +0000
commit	c8f982de83a6d98274b9ca85a5767cd3d13c9373 (patch)
tree	4feda2f9b4e23502b4464c040ab88a17d35b4835 /source/fitz/filter-fax.c
parent	7e2fd58613a92dfd94550e35cfede9fa5b714e7f (diff)
download	mupdf-c8f982de83a6d98274b9ca85a5767cd3d13c9373.tar.xz