From 3a5813b32f917c7668d663fd5cb7538251a23301 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor@ghostscript.com>
Date: Fri, 12 Nov 2010 12:58:22 +0000
Subject: Detect flate/runlength decompression bombs.

---
 fitz/stm_read.c    | 3 +++
 mupdf/pdf_stream.c | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/fitz/stm_read.c b/fitz/stm_read.c
index 28a92f22..94b6d709 100644
--- a/fitz/stm_read.c
+++ b/fitz/stm_read.c
@@ -70,6 +70,9 @@ fz_readall(fz_buffer **bufp, fz_stream *stm, int initial)
 		if (buf->len == buf->cap)
 			fz_growbuffer(buf);
 
+		if (buf->len > initial * 100)
+			return fz_throw("compression bomb detected");
+
 		n = fz_read(stm, buf->data + buf->len, buf->cap - buf->len);
 		if (n < 0)
 		{
diff --git a/mupdf/pdf_stream.c b/mupdf/pdf_stream.c
index ff53f753..cae95a89 100644
--- a/mupdf/pdf_stream.c
+++ b/mupdf/pdf_stream.c
@@ -350,6 +350,8 @@ pdf_guessfilterlength(int len, char *filter)
 		return len * 4 / 5;
 	if (!strcmp(filter, "FlateDecode"))
 		return len * 3;
+	if (!strcmp(filter, "RunLengthDecode"))
+		return len * 3;
 	if (!strcmp(filter, "LZWDecode"))
 		return len * 2;
 	return len;
-- 
cgit v1.2.3