From 98cc01d82be792e600e13e88de9712fffa3240d5 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Wed, 2 Jan 2013 14:06:58 +0000 Subject: Bug 693503: Fix overlong (seemingly infinite) loop of warnings. When reading a CMAP with values out of range, we can go into a very long loop emitting the same pair of warnings. Spot the error case earlier and this give a nicer report. Problem found in a test file, 3192.pdf.SIGSEGV.b0.2438 supplied by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security Team using Address Sanitizer. Many thanks! --- pdf/pdf_cmap_parse.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'pdf') diff --git a/pdf/pdf_cmap_parse.c b/pdf/pdf_cmap_parse.c index b482dcb5..cedbf2be 100644 --- a/pdf/pdf_cmap_parse.c +++ b/pdf/pdf_cmap_parse.c @@ -232,6 +232,11 @@ pdf_parse_bf_range(fz_context *ctx, pdf_cmap *cmap, fz_stream *file, pdf_lexbuf fz_throw(ctx, "expected string"); hi = pdf_code_from_string(buf->scratch, buf->len); + if (lo < 0 || lo > 65535 || hi < 0 || hi > 65535 || lo > hi) + { + fz_warn(ctx, "bf_range limits out of range in cmap %s", cmap->cmap_name); + return; + } tok = pdf_lex_cmap(file, buf); -- cgit v1.2.3