From 56e922cc6655398689202c23fecb5cfafbe3a905 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Fri, 14 Dec 2012 15:26:30 +0000 Subject: Bug 693503: Fix out of bounds memory access (fax decoder) With illegal fax streams we could access beyond the right hand edge of the allocated line. Fix this by adding some simple checks. Issue found by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security Team using Address Sanitizer. Many thanks! --- fitz/filt_faxd.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'fitz/filt_faxd.c') diff --git a/fitz/filt_faxd.c b/fitz/filt_faxd.c index 421f4d5c..d5d636f6 100644 --- a/fitz/filt_faxd.c +++ b/fitz/filt_faxd.c @@ -248,7 +248,7 @@ nearend: static inline int find_changing_color(const unsigned char *line, int x, int w, int color) { - if (!line) + if (!line || x >= w) return w; x = find_changing(line, (x > 0 || !color) ? x : -1, w); @@ -271,6 +271,9 @@ static inline void setbits(unsigned char *line, int x0, int x1) { int a0, a1, b0, b1, a; + if (x1 <= x0) + return; + a0 = x0 >> 3; a1 = x1 >> 3; -- cgit v1.2.3