From bf2aa9521b016d849eb4e88be3281fa84b5ab317 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Fri, 10 Jan 2014 14:19:09 +0000 Subject: Solve SEGV in mutool clean with fuzzed file. While attempting to debug a valgrind issue with: 013b2dcbd0207501e922910ac335eb59_asan_heap-oob_a59696_5952_500.pdf I found that mutool -difggg on it failed with a SEGV. This is due to us parsing an array with a large invalid indirection in it (e.g. [123456789 0 R]) and then the renumbering code assuming this is valid and accessing off the end of an array. --- source/pdf/pdf-write.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'source/pdf/pdf-write.c') diff --git a/source/pdf/pdf-write.c b/source/pdf/pdf-write.c index df432c21..36fda444 100644 --- a/source/pdf/pdf-write.c +++ b/source/pdf/pdf-write.c @@ -711,6 +711,7 @@ static void compactxref(pdf_document *doc, pdf_write_options *opts) static void renumberobj(pdf_document *doc, pdf_write_options *opts, pdf_obj *obj) { int i; + int xref_len = pdf_xref_len(doc); if (pdf_is_dict(obj)) { @@ -721,7 +722,11 @@ static void renumberobj(pdf_document *doc, pdf_write_options *opts, pdf_obj *obj pdf_obj *val = pdf_dict_get_val(obj, i); if (pdf_is_indirect(val)) { - val = pdf_new_indirect(doc, opts->renumber_map[pdf_to_num(val)], 0); + int o = pdf_to_num(val); + if (o >= xref_len) + val = pdf_new_null(doc); + else + val = pdf_new_indirect(doc, opts->renumber_map[o], 0); pdf_dict_put(obj, key, val); pdf_drop_obj(val); } @@ -740,7 +745,11 @@ static void renumberobj(pdf_document *doc, pdf_write_options *opts, pdf_obj *obj pdf_obj *val = pdf_array_get(obj, i); if (pdf_is_indirect(val)) { - val = pdf_new_indirect(doc, opts->renumber_map[pdf_to_num(val)], 0); + int o = pdf_to_num(val); + if (o >= xref_len) + val = pdf_new_null(doc); + else + val = pdf_new_indirect(doc, opts->renumber_map[o], 0); pdf_array_put(obj, i, val); pdf_drop_obj(val); } -- cgit v1.2.3