diff options
| author | Simon Bünzli <zeniko@gmail.com> | 2014-02-13 22:27:03 +0100 |
|---|---|---|
| committer | Robin Watts <robin.watts@artifex.com> | 2014-02-25 12:15:17 +0000 |
| commit | a985147b714a928646f1b5350bc1d7ae0866c615 (patch) | |
| tree | ff59749db9b874a500747b6dba81095ea963f77c /source | |
| parent | b9f7b021f320c8f6b4879ddc20acf11976bd5add (diff) | |
| download | mupdf-a985147b714a928646f1b5350bc1d7ae0866c615.tar.xz | |
Bug 695040: prevent integer overflow in pdf_xref_size_from_old_trailer
Diffstat (limited to 'source')
| -rw-r--r-- | source/pdf/pdf-xref.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c index 9a3cfd37..1cf89de9 100644 --- a/source/pdf/pdf-xref.c +++ b/source/pdf/pdf-xref.c @@ -382,6 +382,8 @@ pdf_xref_size_from_old_trailer(pdf_document *doc, pdf_lexbuf *buf) t = fz_tell(doc->file); if (t < 0) fz_throw(doc->ctx, FZ_ERROR_GENERIC, "cannot tell in file"); + if (len > (INT_MAX - t) / 20) + fz_throw(doc->ctx, FZ_ERROR_GENERIC, "xref has too many entries"); fz_seek(doc->file, t + 20 * len, SEEK_SET); } |