Throw on overly long PDF names.

The architectural limit is 127 bytes according to the PDF specification.
author: Sebastian Rasmussen <sebras@gmail.com> 2017-06-18 23:27:56 +0800
committer: Sebastian Rasmussen <sebras@gmail.com> 2017-06-28 23:22:45 +0800
commit: 9a5e51065469776682a6189efdb3668d42312f7c (patch)
tree: 4d73e79a67965cabebb9870b34550895a8d02e5b /source/pdf/pdf-lex.c
parent: 46aeda6ae19f871b109ef0b724f86a79b85b0044 (diff)
download: mupdf-9a5e51065469776682a6189efdb3668d42312f7c.tar.xz
1 files changed, 4 insertions, 2 deletions
diff --git a/source/pdf/pdf-lex.c b/source/pdf/pdf-lex.c
index 751f6a61..34b08133 100644
--- a/source/pdf/pdf-lex.c
+++ b/source/pdf/pdf-lex.c
@@ -204,15 +204,17 @@ static void
 lex_name(fz_context *ctx, fz_stream *f, pdf_lexbuf *lb)
 {
 	char *s = lb->scratch;
-	char *e = s + lb->size;
+	char *e = s + fz_mini(127, lb->size);
 	int c;
 
 	while (1)
 	{
 		if (s == e)
 		{
+			if (e - lb->scratch >= 127)
+				fz_throw(ctx, FZ_ERROR_SYNTAX, "name too long");
 			s += pdf_lexbuf_grow(ctx, lb);
-			e = lb->scratch + lb->size;
+			e = lb->scratch + fz_mini(127, lb->size);
 		}
 		c = fz_read_byte(ctx, f);
 		switch (c)
author	Sebastian Rasmussen <sebras@gmail.com>	2017-06-18 23:27:56 +0800
committer	Sebastian Rasmussen <sebras@gmail.com>	2017-06-28 23:22:45 +0800
commit	9a5e51065469776682a6189efdb3668d42312f7c (patch)
tree	4d73e79a67965cabebb9870b34550895a8d02e5b /source/pdf/pdf-lex.c
parent	46aeda6ae19f871b109ef0b724f86a79b85b0044 (diff)
download	mupdf-9a5e51065469776682a6189efdb3668d42312f7c.tar.xz