diff options
author | Simon Bünzli <zeniko@gmail.com> | 2014-05-10 12:10:00 +0200 |
---|---|---|
committer | Simon Bünzli <zeniko@gmail.com> | 2014-05-12 18:37:47 +0200 |
commit | 11366353e1e88805f25053825cfd99be035cd245 (patch) | |
tree | 0e6ff19558e4b67e5b965b6a69987a15e34845ad /source/fitz | |
parent | 7db69f3b4a2732d993a23418344cda23924c8749 (diff) | |
download | mupdf-11366353e1e88805f25053825cfd99be035cd245.tar.xz |
better buffer underflow protection for ba15a8cd3238a3a3c098ad8b7d96cb0e405fc26f
Diffstat (limited to 'source/fitz')
-rw-r--r-- | source/fitz/image.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/source/fitz/image.c b/source/fitz/image.c index bfafdcd4..1e6a1183 100644 --- a/source/fitz/image.c +++ b/source/fitz/image.c @@ -281,9 +281,10 @@ fz_image_get_pixmap(fz_context *ctx, fz_image *image, int w, int h) case FZ_IMAGE_JPEG: /* Scan JPEG stream and patch missing height values in header */ { - unsigned char *d = image->buffer->buffer->data; - unsigned char *e = d + image->buffer->buffer->len; - for (d += 2; d + 9 < e && d[0] == 0xFF; d += (d[2] << 8 | d[3]) + 2) + unsigned char *s = image->buffer->buffer->data; + unsigned char *e = s + image->buffer->buffer->len; + unsigned char *d; + for (d = s + 2; s < d && d < e - 9 && d[0] == 0xFF; d += (d[2] << 8 | d[3]) + 2) { if (d[1] < 0xC0 || (0xC3 < d[1] && d[1] < 0xC9) || 0xCB < d[1]) continue; |