diff options
| author | Simon Bünzli <zeniko@gmail.com> | 2013-08-30 18:29:29 +0200 |
|---|---|---|
| committer | Robin Watts <robin.watts@artifex.com> | 2013-09-13 18:22:58 +0100 |
| commit | f5a16fe3f1bc2f40f76692669a0c16be27d644fb (patch) | |
| tree | b2614eb2767f0ef6b10b411f380e4ca0b99071a3 /source/pdf | |
| parent | aefe6a511b3cb901034e5995fd882e334e40f2bb (diff) | |
| download | mupdf-f5a16fe3f1bc2f40f76692669a0c16be27d644fb.tar.xz | |
prevent heap underflow in pdf_read_new_xref
Diffstat (limited to 'source/pdf')
| -rw-r--r-- | source/pdf/pdf-xref.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c index 97433fa3..aaa79bf3 100644 --- a/source/pdf/pdf-xref.c +++ b/source/pdf/pdf-xref.c @@ -114,6 +114,10 @@ pdf_xref_entry *pdf_get_populating_xref_entry(pdf_document *doc, int num) doc->num_xref_sections = 1; } + /* Prevent accidental heap underflow */ + if (num < 0) + fz_throw(doc->ctx, FZ_ERROR_GENERIC, "object number must not be negative (%d)", num); + /* Ensure all xref sections map this entry */ for (i = doc->num_xref_sections - 1; i >= 0; i--) { @@ -421,7 +425,8 @@ pdf_read_old_xref(pdf_document *doc, pdf_lexbuf *buf) int xref_len = pdf_xref_size_from_old_trailer(doc, buf); /* Access last entry to ensure xref size up front and avoid reallocs */ - (void)pdf_get_populating_xref_entry(doc, xref_len - 1); + if (xref_len > 0) + (void)pdf_get_populating_xref_entry(doc, xref_len - 1); fz_read_line(doc->file, buf->scratch, buf->size); if (strncmp(buf->scratch, "xref", 4) != 0) @@ -580,10 +585,8 @@ pdf_read_new_xref(pdf_document *doc, pdf_lexbuf *buf) size = pdf_to_int(obj); /* Access xref entry to assure table size */ - (void)pdf_get_populating_xref_entry(doc, size-1); - - if (num < 0 || num >= pdf_xref_len(doc)) - fz_throw(ctx, FZ_ERROR_GENERIC, "object id (%d %d R) out of range (0..%d)", num, gen, pdf_xref_len(doc) - 1); + if (size > 0) + (void)pdf_get_populating_xref_entry(doc, size-1); obj = pdf_dict_gets(trailer, "W"); if (!obj) |