From e5b92e02f0ffa72473d4324dbfc0aae50a064eb1 Mon Sep 17 00:00:00 2001
From: Robin Watts <robin.watts@artifex.com>
Date: Fri, 14 Dec 2012 14:39:10 +0000
Subject: Bug 693503: Fix out of bounds memory access.

We failed to detect a PDF sample function with a size of 0 as being
illegal. This lead us to continue through the code, and then access
out of bounds.

Issue found by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the
Google Security Team using Address Sanitizer. Many thanks!
---
 pdf/pdf_function.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pdf/pdf_function.c b/pdf/pdf_function.c
index c9bbc5b5..781f1361 100644
--- a/pdf/pdf_function.c
+++ b/pdf/pdf_function.c
@@ -932,9 +932,9 @@ load_sample_func(pdf_function *func, pdf_document *xref, pdf_obj *dict, int num,
 	for (i = 0; i < func->m; i++)
 	{
 		func->u.sa.size[i] = pdf_to_int(pdf_array_get(obj, i));
-		if (func->u.sa.size[i] < 0)
+		if (func->u.sa.size[i] <= 0)
 		{
-			fz_warn(ctx, "negative sample function dimension size");
+			fz_warn(ctx, "non-positive sample function dimension size");
 			func->u.sa.size[i] = 1;
 		}
 	}
-- 
cgit v1.2.3