diff options
| author | Simon Bünzli <zeniko@gmail.com> | 2014-08-24 11:13:36 +0200 |
|---|---|---|
| committer | Simon Bünzli <zeniko@gmail.com> | 2014-09-08 15:08:43 +0200 |
| commit | 621f2c0b3b913c59c0d3cc8ebedac1453caf7acb (patch) | |
| tree | 9da6f08995482f76022976ec176322f6b1f28721 /source/fitz | |
| parent | 6cb578962a4a2e0f78bc5fac220555614b9a8d65 (diff) | |
| download | mupdf-621f2c0b3b913c59c0d3cc8ebedac1453caf7acb.tar.xz | |
Bug 695440: fix buffer underflows in load-jpeg.c
With this change, all 32-bit values read from untrusted data through
read_value are compared unmodified in order to prevent unintended
integer overflows during the comparison.
Diffstat (limited to 'source/fitz')
| -rw-r--r-- | source/fitz/load-jpeg.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/source/fitz/load-jpeg.c b/source/fitz/load-jpeg.c index 96c82ebd..2603ce7d 100644 --- a/source/fitz/load-jpeg.c +++ b/source/fitz/load-jpeg.c @@ -133,7 +133,7 @@ static int extract_exif_resolution(jpeg_saved_marker_ptr marker, int *xres, int return 0; offset = read_value(data + 10, 4, is_big_endian) + 6; - if (offset < 14 || offset + 2 > marker->data_length) + if (offset < 14 || offset > marker->data_length - 2) return 0; ifd_len = read_value(data + offset, 2, is_big_endian); for (offset += 2; ifd_len > 0 && offset + 12 < marker->data_length; ifd_len--, offset += 12) @@ -145,11 +145,11 @@ static int extract_exif_resolution(jpeg_saved_marker_ptr marker, int *xres, int switch (tag) { case 0x11A: - if (type == 5 && value_off > offset && value_off + 8 <= marker->data_length) + if (type == 5 && value_off > offset && value_off <= marker->data_length - 8) x_res = 1.0f * read_value(data + value_off, 4, is_big_endian) / read_value(data + value_off + 4, 4, is_big_endian); break; case 0x11B: - if (type == 5 && value_off > offset && value_off + 8 <= marker->data_length) + if (type == 5 && value_off > offset && value_off <= marker->data_length - 8) y_res = 1.0f * read_value(data + value_off, 4, is_big_endian) / read_value(data + value_off + 4, 4, is_big_endian); break; case 0x128: @@ -197,9 +197,9 @@ static int extract_app13_resolution(jpeg_saved_marker_ptr marker, int *xres, int int value_off = 11 + read_value(data + 6, 2, 1); if (value_off % 2 == 1) value_off++; - if (read_value(data, 4, 1) == 0x3842494D /* 8BIM */ && data + value_off <= data_end) + if (read_value(data, 4, 1) == 0x3842494D /* 8BIM */ && value_off <= data_end - data) data_size = read_value(data + value_off - 4, 4, 1); - if (data_size < 0 || data + value_off + data_size > data_end) + if (data_size < 0 || data_size > data_end - data - value_off) return 0; if (tag == 0x3ED && data_size == 16) { |