diff options
author | Simon Bünzli <zeniko@gmail.com> | 2014-01-08 16:47:34 +0100 |
---|---|---|
committer | Robin Watts <robin.watts@artifex.com> | 2014-01-08 17:55:06 +0000 |
commit | c8f982de83a6d98274b9ca85a5767cd3d13c9373 (patch) | |
tree | 4feda2f9b4e23502b4464c040ab88a17d35b4835 /source/fitz | |
parent | 7e2fd58613a92dfd94550e35cfede9fa5b714e7f (diff) | |
download | mupdf-c8f982de83a6d98274b9ca85a5767cd3d13c9373.tar.xz |
sanitize number of columns in fz_open_faxd
If columns is quite close to INT_MAX, the column index max overflow
in find_changing which causes an access violation in the next getbits.
This happens e.g. with
0c76a20163f30ea8ec860c4e588ce337_signal_sigsegv_5e7b28_9115_7127.pdf
Diffstat (limited to 'source/fitz')
-rw-r--r-- | source/fitz/filter-fax.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/source/fitz/filter-fax.c b/source/fitz/filter-fax.c index e0aa781d..7b35c812 100644 --- a/source/fitz/filter-fax.c +++ b/source/fitz/filter-fax.c @@ -780,6 +780,9 @@ fz_open_faxd(fz_stream *chain, fz_try(ctx) { + if (columns < 0 || columns >= INT_MAX - 7) + fz_throw(ctx, FZ_ERROR_GENERIC, "too many columns lead to an integer overflow (%d)", columns); + fax = fz_malloc_struct(ctx, fz_faxd); fax->chain = chain; |