Bug 694127: Valgrind fix for pdf_decode_cmap

A poorly formed string can cause us to overrun the end of the buffer. Now we check the end of the string at each stage to avoid this.
author: Robin Watts <robin.watts@artifex.com> 2013-11-28 00:37:10 +0000
committer: Robin Watts <robin.watts@artifex.com> 2013-11-28 00:41:08 +0000
commit: 9c910781c2dd9b7b49fedefc9f140d0c3b1a3896 (patch)
tree: 2264740e62dc09045751109eeead791c3bd2538f /source/pdf/pdf-cmap.c
parent: 16158407233ab95669dcf54725a628315522c905 (diff)
download: mupdf-9c910781c2dd9b7b49fedefc9f140d0c3b1a3896.tar.xz
1 files changed, 6 insertions, 2 deletions
diff --git a/source/pdf/pdf-cmap.c b/source/pdf/pdf-cmap.c
index c006c6bb..a1f0b0b0 100644
--- a/source/pdf/pdf-cmap.c
+++ b/source/pdf/pdf-cmap.c
@@ -492,12 +492,16 @@ pdf_lookup_cmap_full(pdf_cmap *cmap, int cpt, int *out)
  * multi-byte encoded string.
  */
 int
-pdf_decode_cmap(pdf_cmap *cmap, unsigned char *buf, int *cpt)
+pdf_decode_cmap(pdf_cmap *cmap, unsigned char *buf, unsigned char *end, int *cpt)
 {
 	int k, n, c;
+	int len = end - buf;
+
+	if (len > 4)
+		len = 4;
 
 	c = 0;
-	for (n = 0; n < 4; n++)
+	for (n = 0; n < len; n++)
 	{
 		c = (c << 8) | buf[n];
 		for (k = 0; k < cmap->codespace_len; k++)
author	Robin Watts <robin.watts@artifex.com>	2013-11-28 00:37:10 +0000
committer	Robin Watts <robin.watts@artifex.com>	2013-11-28 00:41:08 +0000
commit	9c910781c2dd9b7b49fedefc9f140d0c3b1a3896 (patch)
tree	2264740e62dc09045751109eeead791c3bd2538f /source/pdf/pdf-cmap.c
parent	16158407233ab95669dcf54725a628315522c905 (diff)
download	mupdf-9c910781c2dd9b7b49fedefc9f140d0c3b1a3896.tar.xz