diff options
| author | Robin Watts <robin.watts@artifex.com> | 2014-01-09 20:01:36 +0000 |
|---|---|---|
| committer | Robin Watts <robin.watts@artifex.com> | 2014-01-10 12:57:23 +0000 |
| commit | f26bf94c5078d4ed498c283687cf19a24d71580c (patch) | |
| tree | ca58957cdca964f805b388ea0d155d4f2f251de4 /source/pdf | |
| parent | 3c2b088942d733ae1f82bc7310db28bed332a9ba (diff) | |
| download | mupdf-f26bf94c5078d4ed498c283687cf19a24d71580c.tar.xz | |
Bug 694885: Avoid stack overflow in ps_run.
The ifelse and if operators require special parsing where we convert
ps function streams to bytecode. If a malformed stream presents
if or ifelse without being preceded by the appropriate { ...} blocks
then throw an error.
This avoids us potentially calling ps_run recursively in an infinite
loop as happens with the test file in this bug.
5f091df77f6600d0927dc36777db2b93_signal_sigabrt_7ffff6d59425_6762_5545.pdf
Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the fuzzing files.
Diffstat (limited to 'source/pdf')
| -rw-r--r-- | source/pdf/pdf-function.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/source/pdf/pdf-function.c b/source/pdf/pdf-function.c index b18ccf17..1972a10d 100644 --- a/source/pdf/pdf-function.c +++ b/source/pdf/pdf-function.c @@ -817,6 +817,10 @@ parse_code(pdf_function *func, fz_stream *stream, int *codeptr, pdf_lexbuf *buf) } if (cmp != 0) fz_throw(ctx, FZ_ERROR_GENERIC, "unknown operator: '%s'", buf->scratch); + if (a == PS_OP_IFELSE) + fz_throw(ctx, FZ_ERROR_GENERIC, "illegally positioned ifelse operator in function"); + if (a == PS_OP_IF) + fz_throw(ctx, FZ_ERROR_GENERIC, "illegally positioned if operator in function"); resize_code(ctx, func, *codeptr); func->u.p.code[*codeptr].type = PS_OPERATOR; |