From 7a439812b2226c1e3b203ec603f05b39d159f91e Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Wed, 28 Dec 2016 13:20:16 +0100
Subject: Fix potential buffer overrun when decoding UTF-16 in XML parser.

---
 include/mupdf/fitz/string.h | 5 +++++
 source/fitz/xml.c           | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/include/mupdf/fitz/string.h b/include/mupdf/fitz/string.h
index 358701d1..c9c20c3d 100644
--- a/include/mupdf/fitz/string.h
+++ b/include/mupdf/fitz/string.h
@@ -79,6 +79,11 @@ void fz_format_output_path(fz_context *ctx, char *path, size_t size, const char
 */
 char *fz_cleanname(char *name);
 
+/*
+	FZ_UTFMAX: Maximum number of bytes in a decoded rune (maximum length returned by fz_chartorune).
+*/
+enum { FZ_UTFMAX = 4 };
+
 /*
 	fz_chartorune: UTF8 decode a single rune from a sequence of chars.
 
diff --git a/source/fitz/xml.c b/source/fitz/xml.c
index 47b9461b..d063ee33 100644
--- a/source/fitz/xml.c
+++ b/source/fitz/xml.c
@@ -593,7 +593,7 @@ static char *convert_to_utf8(fz_context *doc, unsigned char *s, size_t n, int *d
 
 	if (s[0] == 0xFE && s[1] == 0xFF) {
 		s += 2;
-		dst = d = fz_malloc(doc, n * 2);
+		dst = d = fz_malloc(doc, n * FZ_UTFMAX);
 		while (s + 1 < e) {
 			c = s[0] << 8 | s[1];
 			d += fz_runetochar(d, c);
@@ -606,7 +606,7 @@ static char *convert_to_utf8(fz_context *doc, unsigned char *s, size_t n, int *d
 
 	if (s[0] == 0xFF && s[1] == 0xFE) {
 		s += 2;
-		dst = d = fz_malloc(doc, n * 2);
+		dst = d = fz_malloc(doc, n * FZ_UTFMAX);
 		while (s + 1 < e) {
 			c = s[0] | s[1] << 8;
 			d += fz_runetochar(d, c);
-- 
cgit v1.2.3