Bug 696131: Detect some overflow conditions

When lexing a number, do NOT check for overflow. This causes loss of data in some files. The current implementation matches Acrobat. When lexing a startxref offset, check for overflow. If found, throw an error.
author: Robin Watts <robin.watts@artifex.com> 2015-10-01 15:30:12 +0100
committer: Robin Watts <robin.watts@artifex.com> 2015-10-02 16:36:33 +0100
commit: f0f90683d3ae5d8655eb1e02c2412fd35bc96257 (patch)
tree: ac5780c087f046670c32ade7df042e39cac9d7a9 /source/pdf/pdf-xref.c
parent: 1b508d5cd7b0d7d4528326b1fa276bce90061b52 (diff)
download: mupdf-f0f90683d3ae5d8655eb1e02c2412fd35bc96257.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 7c722c9c..6fa4770f 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -577,7 +577,11 @@ pdf_read_start_xref(fz_context *ctx, pdf_document *doc)
 				i ++;
 			doc->startxref = 0;
 			while (i < n && buf[i] >= '0' && buf[i] <= '9')
+			{
+				if (doc->startxref >= FZ_OFF_MAX/10)
+					fz_throw(ctx, FZ_ERROR_GENERIC, "startxref too large");
 				doc->startxref = doc->startxref * 10 + (buf[i++] - '0');
+			}
 			if (doc->startxref != 0)
 				return;
 			break;
author	Robin Watts <robin.watts@artifex.com>	2015-10-01 15:30:12 +0100
committer	Robin Watts <robin.watts@artifex.com>	2015-10-02 16:36:33 +0100
commit	f0f90683d3ae5d8655eb1e02c2412fd35bc96257 (patch)
tree	ac5780c087f046670c32ade7df042e39cac9d7a9 /source/pdf/pdf-xref.c
parent	1b508d5cd7b0d7d4528326b1fa276bce90061b52 (diff)
download	mupdf-f0f90683d3ae5d8655eb1e02c2412fd35bc96257.tar.xz