From a6b0a8273f2eb15fd5924501b6ad03e30f2c8d0a Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Thu, 29 Nov 2012 16:46:09 +0000 Subject: Bug 693290: Various fixes found from fuzzing. Thanks to zeniko for finding various problems and submitting a patch that fixes them. This commit covers the simpler issues from his patch; other commits will follow shortly. * Out of range LZW codes. * Buffer overflows and error handling in image_jpeg.c * Buffer overflows in tiff handling * buffer overflows in cmap parsing. * Potential double free in font handling. * Buffer overflow in pdf_form.c * use of uninitialised value in error case in pdf_image.c * NULL pointer dereference in xps_outline.c --- pdf/pdf_cmap_parse.c | 9 ++++++--- pdf/pdf_font.c | 1 + pdf/pdf_form.c | 3 ++- pdf/pdf_image.c | 3 ++- pdf/pdf_stream.c | 1 + 5 files changed, 12 insertions(+), 5 deletions(-) (limited to 'pdf') diff --git a/pdf/pdf_cmap_parse.c b/pdf/pdf_cmap_parse.c index 7f2587ec..b482dcb5 100644 --- a/pdf/pdf_cmap_parse.c +++ b/pdf/pdf_cmap_parse.c @@ -198,7 +198,8 @@ pdf_parse_bf_range_array(fz_context *ctx, pdf_cmap *cmap, fz_stream *file, pdf_l if (buf->len / 2) { - for (i = 0; i < buf->len / 2; i++) + int len = fz_mini(buf->len / 2, nelem(dst)); + for (i = 0; i < len; i++) dst[i] = pdf_code_from_string(&buf->scratch[i * 2], 2); pdf_map_one_to_many(ctx, cmap, lo, dst, buf->len / 2); @@ -248,7 +249,8 @@ pdf_parse_bf_range(fz_context *ctx, pdf_cmap *cmap, fz_stream *file, pdf_lexbuf if (buf->len / 2) { - for (i = 0; i < buf->len / 2; i++) + int len = fz_mini(buf->len / 2, nelem(dststr)); + for (i = 0; i < len; i++) dststr[i] = pdf_code_from_string(&buf->scratch[i * 2], 2); while (lo <= hi) @@ -300,7 +302,8 @@ pdf_parse_bf_char(fz_context *ctx, pdf_cmap *cmap, fz_stream *file, pdf_lexbuf * if (buf->len / 2) { - for (i = 0; i < buf->len / 2; i++) + int len = fz_mini(buf->len / 2, nelem(dst)); + for (i = 0; i < len; i++) dst[i] = pdf_code_from_string(&buf->scratch[i * 2], 2); pdf_map_one_to_many(ctx, cmap, src, dst, i); } diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c index 6879d12b..34199e06 100644 --- a/pdf/pdf_font.c +++ b/pdf/pdf_font.c @@ -455,6 +455,7 @@ pdf_load_simple_font(pdf_document *xref, pdf_obj *dict) { fz_warn(ctx, "workaround for S22PDF lying about chinese font encodings"); pdf_drop_font(ctx, fontdesc); + fontdesc = NULL; fontdesc = pdf_new_font_desc(ctx); pdf_load_font_descriptor(fontdesc, xref, descriptor, "Adobe-GB1", cp936fonts[i+1]); fontdesc->encoding = pdf_load_system_cmap(ctx, "GBK-EUC-H"); diff --git a/pdf/pdf_form.c b/pdf/pdf_form.c index d532fcd3..ec2190f6 100644 --- a/pdf/pdf_form.c +++ b/pdf/pdf_form.c @@ -2519,7 +2519,8 @@ void pdf_field_set_text_color(pdf_document *doc, pdf_obj *field, pdf_obj *col) parse_da(ctx, da, &di); di.col_size = pdf_array_len(col); - for (i = 0; i < di.col_size; i++) + len = fz_mini(di.col_size, nelem(di.col)); + for (i = 0; i < len; i++) di.col[i] = pdf_to_real(pdf_array_get(col, i)); fzbuf = fz_new_buffer(ctx, 0); diff --git a/pdf/pdf_image.c b/pdf/pdf_image.c index ead7db49..d71d974a 100644 --- a/pdf/pdf_image.c +++ b/pdf/pdf_image.c @@ -108,10 +108,11 @@ decomp_image_from_stream(fz_context *ctx, fz_stream *stm, pdf_image *image, int int f = 1<base.w + f-1) >> native_l2factor; int h = (image->base.h + f-1) >> native_l2factor; - pdf_image_key *key; + pdf_image_key *key = NULL; fz_var(tile); fz_var(samples); + fz_var(key); fz_try(ctx) { diff --git a/pdf/pdf_stream.c b/pdf/pdf_stream.c index 41e438ac..1efe116c 100644 --- a/pdf/pdf_stream.c +++ b/pdf/pdf_stream.c @@ -486,6 +486,7 @@ pdf_load_compressed_stream(pdf_document *xref, int num, int gen) fz_catch(ctx) { fz_free(ctx, bc); + fz_rethrow(ctx); } return bc; } -- cgit v1.2.3