From 9a5e51065469776682a6189efdb3668d42312f7c Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen Date: Sun, 18 Jun 2017 23:27:56 +0800 Subject: Throw on overly long PDF names. The architectural limit is 127 bytes according to the PDF specification. --- source/pdf/pdf-lex.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/source/pdf/pdf-lex.c b/source/pdf/pdf-lex.c index 751f6a61..34b08133 100644 --- a/source/pdf/pdf-lex.c +++ b/source/pdf/pdf-lex.c @@ -204,15 +204,17 @@ static void lex_name(fz_context *ctx, fz_stream *f, pdf_lexbuf *lb) { char *s = lb->scratch; - char *e = s + lb->size; + char *e = s + fz_mini(127, lb->size); int c; while (1) { if (s == e) { + if (e - lb->scratch >= 127) + fz_throw(ctx, FZ_ERROR_SYNTAX, "name too long"); s += pdf_lexbuf_grow(ctx, lb); - e = lb->scratch + lb->size; + e = lb->scratch + fz_mini(127, lb->size); } c = fz_read_byte(ctx, f); switch (c) -- cgit v1.2.3