diff options
| author | Sebastian Rasmussen <sebras@gmail.com> | 2018-02-01 16:47:12 +0100 |
|---|---|---|
| committer | Sebastian Rasmussen <sebras@gmail.com> | 2018-02-01 17:21:16 +0100 |
| commit | aa188d02031df0c96e785d4ea0ef0f95599827d1 (patch) | |
| tree | db80f7c0cf2827a8d37b000b2df005f8dfa1d4bc /source | |
| parent | 2b0303c5de4f30417b64285a0f1d3da9e2679673 (diff) | |
| download | mupdf-aa188d02031df0c96e785d4ea0ef0f95599827d1.tar.xz | |
Do not allow out of range object numbers inside object stream.
Diffstat (limited to 'source')
| -rw-r--r-- | source/pdf/pdf-xref.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c index 5deeaefa..5ff13f55 100644 --- a/source/pdf/pdf-xref.c +++ b/source/pdf/pdf-xref.c @@ -1594,10 +1594,12 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N)); first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First)); - if (count < 0) - fz_throw(ctx, FZ_ERROR_GENERIC, "negative number of objects in object stream"); - if (first < 0) - fz_throw(ctx, FZ_ERROR_GENERIC, "first object in object stream resides outside stream"); + if (count < 0 || count > PDF_MAX_OBJECT_NUMBER) + fz_throw(ctx, FZ_ERROR_GENERIC, "number of objects in object stream out of range"); + if (first < 0 || first > PDF_MAX_OBJECT_NUMBER + || count < 0 || count > PDF_MAX_OBJECT_NUMBER + || first + count - 1 > PDF_MAX_OBJECT_NUMBER) + fz_throw(ctx, FZ_ERROR_GENERIC, "object stream object numbers are out of range"); numbuf = fz_calloc(ctx, count, sizeof(*numbuf)); ofsbuf = fz_calloc(ctx, count, sizeof(*ofsbuf)); |