diff options
| author | Robin Watts <robin.watts@artifex.com> | 2014-01-17 13:12:07 +0000 |
|---|---|---|
| committer | Robin Watts <robin.watts@artifex.com> | 2014-01-17 13:47:48 +0000 |
| commit | 207c58162fe0bece0412325d3dfefe3bd12528ba (patch) | |
| tree | b11c8cc5f1a6162d45e9d7d70cfd190784585c0c /source | |
| parent | 0ae113cfe386e87234df5581d84a10d4c60502e5 (diff) | |
| download | mupdf-207c58162fe0bece0412325d3dfefe3bd12528ba.tar.xz | |
Bug 694897: Fix valgrind issues with versions
If the /Version is a single character string (say "s") then the
current code for converting this in pdf_init_document reads off
the end of the string.
Simple fix is to use fz_atof instead.
Same fix for reading the PDF version normally.
This solves:
53b830f849d028fb2d528520716e157a_asan_heap-oob_478692_5259_4534.pdf
Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the example files.
Diffstat (limited to 'source')
| -rw-r--r-- | source/pdf/pdf-xref.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c index 7391f115..735f2e2e 100644 --- a/source/pdf/pdf-xref.c +++ b/source/pdf/pdf-xref.c @@ -292,7 +292,7 @@ pdf_load_version(pdf_document *doc) if (memcmp(buf, "%PDF-", 5) != 0) fz_throw(doc->ctx, FZ_ERROR_GENERIC, "cannot recognize version marker"); - doc->version = atoi(buf + 5) * 10 + atoi(buf + 7); + doc->version = 10 * (fz_atof(buf+5) + 0.05); } static void @@ -1177,8 +1177,7 @@ pdf_init_document(pdf_document *doc) version_str = pdf_to_name(obj); if (*version_str) { - /* TODO: use fz_atof for parsing instead? */ - int version = atoi(version_str) * 10 + atoi(version_str + 2); + int version = 10 * (fz_atof(version_str) + 0.05); if (version > doc->version) doc->version = version; } |