From 13df8c72e4cdeb9860a377c6c8c5827440bede39 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Wed, 2 Jan 2013 16:24:38 +0000 Subject: Bug 693503: Fix SEGV during pdf function loading from broken file. If the Function entry does not point to either a dictionary or an array, we should give up, otherwise we deference a NULL pointer. Problem found in a test file, 1013.pdf.SIGSEGV.8a7.18 supplied by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security Team using Address Sanitizer. Many thanks! --- pdf/pdf_shade.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'pdf') diff --git a/pdf/pdf_shade.c b/pdf/pdf_shade.c index 4089bc02..95726975 100644 --- a/pdf/pdf_shade.c +++ b/pdf/pdf_shade.c @@ -405,6 +405,11 @@ pdf_load_shading_dict(pdf_document *xref, pdf_obj *dict, fz_matrix transform) fz_throw(ctx, "cannot load shading function (%d %d R)", pdf_to_num(obj), pdf_to_gen(obj)); } } + else if (type < 4) + { + /* Functions are compulsory for types 1,2,3 */ + fz_throw(ctx, "cannot load shading function (%d %d R)", pdf_to_num(obj), pdf_to_gen(obj)); + } shade->type = type; switch (type) -- cgit v1.2.3