Fix potential buffer overrun when decoding UTF-16 in XML parser.

author: Tor Andersson <tor.andersson@artifex.com> 2016-12-28 13:20:16 +0100
committer: Tor Andersson <tor.andersson@artifex.com> 2017-01-09 13:21:40 +0100
commit: 7a439812b2226c1e3b203ec603f05b39d159f91e (patch)
tree: 527c9875c6befd905ffba752079c51c0799a8d7a /source/fitz
parent: bbcc85a9f746c161b2e23c6057e69ec7b967252b (diff)
download: mupdf-7a439812b2226c1e3b203ec603f05b39d159f91e.tar.xz
1 files changed, 2 insertions, 2 deletions
diff --git a/source/fitz/xml.c b/source/fitz/xml.c
index 47b9461b..d063ee33 100644
--- a/source/fitz/xml.c
+++ b/source/fitz/xml.c
@@ -593,7 +593,7 @@ static char *convert_to_utf8(fz_context *doc, unsigned char *s, size_t n, int *d
 
 	if (s[0] == 0xFE && s[1] == 0xFF) {
 		s += 2;
-		dst = d = fz_malloc(doc, n * 2);
+		dst = d = fz_malloc(doc, n * FZ_UTFMAX);
 		while (s + 1 < e) {
 			c = s[0] << 8 | s[1];
 			d += fz_runetochar(d, c);
@@ -606,7 +606,7 @@ static char *convert_to_utf8(fz_context *doc, unsigned char *s, size_t n, int *d
 
 	if (s[0] == 0xFF && s[1] == 0xFE) {
 		s += 2;
-		dst = d = fz_malloc(doc, n * 2);
+		dst = d = fz_malloc(doc, n * FZ_UTFMAX);
 		while (s + 1 < e) {
 			c = s[0] | s[1] << 8;
 			d += fz_runetochar(d, c);
author	Tor Andersson <tor.andersson@artifex.com>	2016-12-28 13:20:16 +0100
committer	Tor Andersson <tor.andersson@artifex.com>	2017-01-09 13:21:40 +0100
commit	7a439812b2226c1e3b203ec603f05b39d159f91e (patch)
tree	527c9875c6befd905ffba752079c51c0799a8d7a /source/fitz
parent	bbcc85a9f746c161b2e23c6057e69ec7b967252b (diff)
download	mupdf-7a439812b2226c1e3b203ec603f05b39d159f91e.tar.xz