From 1f279100b292519fa095c576e49ba3e3bb4efbe8 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Wed, 22 Aug 2018 11:59:29 +0200
Subject: Truncate name tokens that are too long.

---
 source/pdf/pdf-lex.c | 30 +++++++++++++++++++++---------
 1 file changed, 21 insertions(+), 9 deletions(-)

(limited to 'source')

diff --git a/source/pdf/pdf-lex.c b/source/pdf/pdf-lex.c
index e6a925ff..4a5f3f26 100644
--- a/source/pdf/pdf-lex.c
+++ b/source/pdf/pdf-lex.c
@@ -244,10 +244,19 @@ lex_name(fz_context *ctx, fz_stream *f, pdf_lexbuf *lb)
 	{
 		if (s == e)
 		{
-			if (e - lb->scratch >= 127)
-				fz_throw(ctx, FZ_ERROR_SYNTAX, "name too long");
-			s += pdf_lexbuf_grow(ctx, lb);
-			e = lb->scratch + fz_mini(127, lb->size);
+			if (e - lb->scratch < 127)
+			{
+				s += pdf_lexbuf_grow(ctx, lb);
+				e = lb->scratch + fz_mini(127, lb->size);
+			}
+			else
+			{
+				/* truncate names that are too long */
+				fz_warn(ctx, "name is too long");
+				*s = 0;
+				lb->len = s - lb->scratch;
+				s = NULL;
+			}
 		}
 		c = lex_byte(ctx, f);
 		switch (c)
@@ -283,22 +292,25 @@ lex_name(fz_context *ctx, fz_stream *f, pdf_lexbuf *lb)
 					goto illegal;
 				}
 			}
-			*s++ = (hex[0] << 4) + hex[1];
+			if (s) *s++ = (hex[0] << 4) + hex[1];
 			break;
 illegal:
 			if (i == 1)
 				fz_unread_byte(ctx, f);
-			*s++ = '#';
+			if (s) *s++ = '#';
 			continue;
 		}
 		default:
-			*s++ = c;
+			if (s) *s++ = c;
 			break;
 		}
 	}
 end:
-	*s = '\0';
-	lb->len = s - lb->scratch;
+	if (s)
+	{
+		*s = '\0';
+		lb->len = s - lb->scratch;
+	}
 }
 
 static int
-- 
cgit v1.2.3