Bug 694127: Valgrind fix for pdf_decode_cmap

A poorly formed string can cause us to overrun the end of the buffer.
Now we check the end of the string at each stage to avoid this.

2 files changed, 7 insertions, 3 deletions

diff --git a/source/pdf/pdf-cmap.c b/source/pdf/pdf-cmap.c
index c006c6bb..a1f0b0b0 100644
--- a/source/pdf/pdf-cmap.c
+++ b/source/pdf/pdf-cmap.c
@@ -492,12 +492,16 @@ pdf_lookup_cmap_full(pdf_cmap *cmap, int cpt, int *out)
  * multi-byte encoded string.
  */
 int
-pdf_decode_cmap(pdf_cmap *cmap, unsigned char *buf, int *cpt)
+pdf_decode_cmap(pdf_cmap *cmap, unsigned char *buf, unsigned char *end, int *cpt)
 {
 	int k, n, c;
+	int len = end - buf;
+
+	if (len > 4)
+		len = 4;
 
 	c = 0;
-	for (n = 0; n < 4; n++)
+	for (n = 0; n < len; n++)
 	{
 		c = (c << 8) | buf[n];
 		for (k = 0; k < cmap->codespace_len; k++)
diff --git a/source/pdf/pdf-interpret.c b/source/pdf/pdf-interpret.c
index bfdf77ab..71dcbd4e 100644
--- a/source/pdf/pdf-interpret.c
+++ b/source/pdf/pdf-interpret.c
@@ -946,7 +946,7 @@ pdf_show_string(pdf_csi *csi, unsigned char *buf, int len)
 
 	while (buf < end)
 	{
-		int w = pdf_decode_cmap(fontdesc->encoding, buf, &cpt);
+		int w = pdf_decode_cmap(fontdesc->encoding, buf, end, &cpt);
 		buf += w;
 
 		cid = pdf_lookup_cmap(fontdesc->encoding, cpt);