better buffer underflow protection for ba15a8cd3238a3a3c098ad8b7d96cb0e405fc26f

author: Simon Bünzli <zeniko@gmail.com> 2014-05-10 12:10:00 +0200
committer: Simon Bünzli <zeniko@gmail.com> 2014-05-12 18:37:47 +0200
commit: 11366353e1e88805f25053825cfd99be035cd245 (patch)
tree: 0e6ff19558e4b67e5b965b6a69987a15e34845ad /source/fitz/image.c
parent: 7db69f3b4a2732d993a23418344cda23924c8749 (diff)
download: mupdf-11366353e1e88805f25053825cfd99be035cd245.tar.xz
1 files changed, 4 insertions, 3 deletions
diff --git a/source/fitz/image.c b/source/fitz/image.c
index bfafdcd4..1e6a1183 100644
--- a/source/fitz/image.c
+++ b/source/fitz/image.c
@@ -281,9 +281,10 @@ fz_image_get_pixmap(fz_context *ctx, fz_image *image, int w, int h)
 	case FZ_IMAGE_JPEG:
 		/* Scan JPEG stream and patch missing height values in header */
 		{
-			unsigned char *d = image->buffer->buffer->data;
-			unsigned char *e = d + image->buffer->buffer->len;
-			for (d += 2; d + 9 < e && d[0] == 0xFF; d += (d[2] << 8 | d[3]) + 2)
+			unsigned char *s = image->buffer->buffer->data;
+			unsigned char *e = s + image->buffer->buffer->len;
+			unsigned char *d;
+			for (d = s + 2; s < d && d < e - 9 && d[0] == 0xFF; d += (d[2] << 8 | d[3]) + 2)
 			{
 				if (d[1] < 0xC0 || (0xC3 < d[1] && d[1] < 0xC9) || 0xCB < d[1])
 					continue;
author	Simon Bünzli <zeniko@gmail.com>	2014-05-10 12:10:00 +0200
committer	Simon Bünzli <zeniko@gmail.com>	2014-05-12 18:37:47 +0200
commit	11366353e1e88805f25053825cfd99be035cd245 (patch)
tree	0e6ff19558e4b67e5b965b6a69987a15e34845ad /source/fitz/image.c
parent	7db69f3b4a2732d993a23418344cda23924c8749 (diff)
download	mupdf-11366353e1e88805f25053825cfd99be035cd245.tar.xz