From f26bf94c5078d4ed498c283687cf19a24d71580c Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Thu, 9 Jan 2014 20:01:36 +0000 Subject: Bug 694885: Avoid stack overflow in ps_run. The ifelse and if operators require special parsing where we convert ps function streams to bytecode. If a malformed stream presents if or ifelse without being preceded by the appropriate { ...} blocks then throw an error. This avoids us potentially calling ps_run recursively in an infinite loop as happens with the test file in this bug. 5f091df77f6600d0927dc36777db2b93_signal_sigabrt_7ffff6d59425_6762_5545.pdf Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for providing the fuzzing files. --- source/pdf/pdf-function.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source/pdf') diff --git a/source/pdf/pdf-function.c b/source/pdf/pdf-function.c index b18ccf17..1972a10d 100644 --- a/source/pdf/pdf-function.c +++ b/source/pdf/pdf-function.c @@ -817,6 +817,10 @@ parse_code(pdf_function *func, fz_stream *stream, int *codeptr, pdf_lexbuf *buf) } if (cmp != 0) fz_throw(ctx, FZ_ERROR_GENERIC, "unknown operator: '%s'", buf->scratch); + if (a == PS_OP_IFELSE) + fz_throw(ctx, FZ_ERROR_GENERIC, "illegally positioned ifelse operator in function"); + if (a == PS_OP_IF) + fz_throw(ctx, FZ_ERROR_GENERIC, "illegally positioned if operator in function"); resize_code(ctx, func, *codeptr); func->u.p.code[*codeptr].type = PS_OPERATOR; -- cgit v1.2.3