From c8f982de83a6d98274b9ca85a5767cd3d13c9373 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20B=C3=BCnzli?= Date: Wed, 8 Jan 2014 16:47:34 +0100 Subject: sanitize number of columns in fz_open_faxd If columns is quite close to INT_MAX, the column index max overflow in find_changing which causes an access violation in the next getbits. This happens e.g. with 0c76a20163f30ea8ec860c4e588ce337_signal_sigsegv_5e7b28_9115_7127.pdf --- source/fitz/filter-fax.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source/fitz') diff --git a/source/fitz/filter-fax.c b/source/fitz/filter-fax.c index e0aa781d..7b35c812 100644 --- a/source/fitz/filter-fax.c +++ b/source/fitz/filter-fax.c @@ -780,6 +780,9 @@ fz_open_faxd(fz_stream *chain, fz_try(ctx) { + if (columns < 0 || columns >= INT_MAX - 7) + fz_throw(ctx, FZ_ERROR_GENERIC, "too many columns lead to an integer overflow (%d)", columns); + fax = fz_malloc_struct(ctx, fz_faxd); fax->chain = chain; -- cgit v1.2.3