diff options
author | Robin Watts <robin.watts@artifex.com> | 2014-01-08 13:51:05 +0000 |
---|---|---|
committer | Robin Watts <robin.watts@artifex.com> | 2014-01-08 19:20:44 +0000 |
commit | fb20d5b74fcd9aac44b90a475ddb3b4c2f55ae9e (patch) | |
tree | 374ddd24dd7b4a651128c8a1b8c2016262927000 /source/pdf/pdf-appearance.c | |
parent | 98a111c8e49916f8f5ac21d11f4627540f9ddd49 (diff) | |
download | mupdf-fb20d5b74fcd9aac44b90a475ddb3b4c2f55ae9e.tar.xz |
Fuzzing fix: Overrun in fz_predict_png
If a file specifies a silly number of bpp in the PNG predictor it can
overrun a buffer. This was shown by:
tests_private/fuzzing/mupdf2/013b2dcbd0207501e922910ac335eb59_*.pdf
but no longer shows up due to Simons earlier fix.
Following discussion we still think it's worth having this fix in, as
truncated data streams can cause len < bpp. Possibly we should throw
an error here, but I think that's not necessary as we will return the
short length, and the image reading code will notice that the image
is truncated already.
Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the fuzzing files.
Diffstat (limited to 'source/pdf/pdf-appearance.c')
0 files changed, 0 insertions, 0 deletions