From 5ee271fd9c8b51b65d3e62a1eb47971adc090328 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Fri, 4 Jan 2013 16:19:02 +0000 Subject: Bug 693503: Fix NULL dereference in atoi. If a PDF xref subsection is broken in the wrong place, we can get NULL back from fz_strsep, which causes a SEGV when fed to atoi. Add a new fz_atoi that copes with NULL to avoid this. Problem found in a test file, 3959.pdf.SIGSEGV.ad4.3289 supplied by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security Team using Address Sanitizer. Many thanks! --- fitz/base_string.c | 7 +++++++ fitz/fitz-internal.h | 3 +++ pdf/pdf_xref.c | 6 +++--- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/fitz/base_string.c b/fitz/base_string.c index fbb1cf4d..7385b500 100644 --- a/fitz/base_string.c +++ b/fitz/base_string.c @@ -255,3 +255,10 @@ float fz_atof(const char *s) d = fz_clampd(d, -FLT_MAX, FLT_MAX); return (float)d; } + +int fz_atoi(const char *s) +{ + if (s == NULL) + return 0; + return atoi(s); +} diff --git a/fitz/fitz-internal.h b/fitz/fitz-internal.h index 58b77c94..e853188d 100644 --- a/fitz/fitz-internal.h +++ b/fitz/fitz-internal.h @@ -247,6 +247,9 @@ static inline float my_atan2f(float o, float a) /* Range checking atof */ float fz_atof(const char *s); +/* atoi that copes with NULL */ +int fz_atoi(const char *s); + /* * Generic hash-table with fixed-length keys. */ diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c index 6b5570f9..0e954c30 100644 --- a/pdf/pdf_xref.c +++ b/pdf/pdf_xref.c @@ -87,7 +87,7 @@ pdf_read_old_trailer(pdf_document *xref, pdf_lexbuf *buf) fz_strsep(&s, " "); /* ignore ofs */ if (!s) fz_throw(xref->ctx, "invalid range marker in xref"); - len = atoi(fz_strsep(&s, " ")); + len = fz_atoi(fz_strsep(&s, " ")); /* broken pdfs where the section is not on a separate line */ if (s && *s != '\0') @@ -210,8 +210,8 @@ pdf_read_old_xref(pdf_document *xref, pdf_lexbuf *buf) fz_read_line(xref->file, buf->scratch, buf->size); s = buf->scratch; - ofs = atoi(fz_strsep(&s, " ")); - len = atoi(fz_strsep(&s, " ")); + ofs = fz_atoi(fz_strsep(&s, " ")); + len = fz_atoi(fz_strsep(&s, " ")); /* broken pdfs where the section is not on a separate line */ if (s && *s != '\0') -- cgit v1.2.3