Fuzzing fix: Overrun in fz_predict_png

If a file specifies a silly number of bpp in the PNG predictor it can overrun a buffer. This was shown by: tests_private/fuzzing/mupdf2/013b2dcbd0207501e922910ac335eb59_*.pdf but no longer shows up due to Simons earlier fix. Following discussion we still think it's worth having this fix in, as truncated data streams can cause len < bpp. Possibly we should throw an error here, but I think that's not necessary as we will return the short length, and the image reading code will notice that the image is truncated already. Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for providing the fuzzing files.
author: Robin Watts <robin.watts@artifex.com> 2014-01-08 13:51:05 +0000
committer: Robin Watts <robin.watts@artifex.com> 2014-01-08 19:20:44 +0000
commit: fb20d5b74fcd9aac44b90a475ddb3b4c2f55ae9e (patch)
tree: 374ddd24dd7b4a651128c8a1b8c2016262927000 /source/fitz/filter-predict.c
parent: 98a111c8e49916f8f5ac21d11f4627540f9ddd49 (diff)
download: mupdf-fb20d5b74fcd9aac44b90a475ddb3b4c2f55ae9e.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/source/fitz/filter-predict.c b/source/fitz/filter-predict.c
index e8f885a7..66101753 100644
--- a/source/fitz/filter-predict.c
+++ b/source/fitz/filter-predict.c
@@ -87,6 +87,9 @@ fz_predict_png(fz_predict *state, unsigned char *out, unsigned char *in, int len
 	int i;
 	unsigned char *ref = state->ref;
 
+	if (bpp > len)
+		bpp = len;
+
 	switch (predictor)
 	{
 	case 0:
author	Robin Watts <robin.watts@artifex.com>	2014-01-08 13:51:05 +0000
committer	Robin Watts <robin.watts@artifex.com>	2014-01-08 19:20:44 +0000
commit	fb20d5b74fcd9aac44b90a475ddb3b4c2f55ae9e (patch)
tree	374ddd24dd7b4a651128c8a1b8c2016262927000 /source/fitz/filter-predict.c
parent	98a111c8e49916f8f5ac21d11f4627540f9ddd49 (diff)
download	mupdf-fb20d5b74fcd9aac44b90a475ddb3b4c2f55ae9e.tar.xz