summaryrefslogtreecommitdiff
path: root/source/pdf/pdf-lex.c
diff options
context:
space:
mode:
authorSebastian Rasmussen <sebras@gmail.com>2017-06-18 23:27:56 +0800
committerSebastian Rasmussen <sebras@gmail.com>2017-06-28 23:22:45 +0800
commit9a5e51065469776682a6189efdb3668d42312f7c (patch)
tree4d73e79a67965cabebb9870b34550895a8d02e5b /source/pdf/pdf-lex.c
parent46aeda6ae19f871b109ef0b724f86a79b85b0044 (diff)
downloadmupdf-9a5e51065469776682a6189efdb3668d42312f7c.tar.xz
Throw on overly long PDF names.
The architectural limit is 127 bytes according to the PDF specification.
Diffstat (limited to 'source/pdf/pdf-lex.c')
-rw-r--r--source/pdf/pdf-lex.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/source/pdf/pdf-lex.c b/source/pdf/pdf-lex.c
index 751f6a61..34b08133 100644
--- a/source/pdf/pdf-lex.c
+++ b/source/pdf/pdf-lex.c
@@ -204,15 +204,17 @@ static void
lex_name(fz_context *ctx, fz_stream *f, pdf_lexbuf *lb)
{
char *s = lb->scratch;
- char *e = s + lb->size;
+ char *e = s + fz_mini(127, lb->size);
int c;
while (1)
{
if (s == e)
{
+ if (e - lb->scratch >= 127)
+ fz_throw(ctx, FZ_ERROR_SYNTAX, "name too long");
s += pdf_lexbuf_grow(ctx, lb);
- e = lb->scratch + lb->size;
+ e = lb->scratch + fz_mini(127, lb->size);
}
c = fz_read_byte(ctx, f);
switch (c)