From 207c58162fe0bece0412325d3dfefe3bd12528ba Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Fri, 17 Jan 2014 13:12:07 +0000 Subject: Bug 694897: Fix valgrind issues with versions If the /Version is a single character string (say "s") then the current code for converting this in pdf_init_document reads off the end of the string. Simple fix is to use fz_atof instead. Same fix for reading the PDF version normally. This solves: 53b830f849d028fb2d528520716e157a_asan_heap-oob_478692_5259_4534.pdf Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for providing the example files. --- source/pdf/pdf-xref.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source') diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c index 7391f115..735f2e2e 100644 --- a/source/pdf/pdf-xref.c +++ b/source/pdf/pdf-xref.c @@ -292,7 +292,7 @@ pdf_load_version(pdf_document *doc) if (memcmp(buf, "%PDF-", 5) != 0) fz_throw(doc->ctx, FZ_ERROR_GENERIC, "cannot recognize version marker"); - doc->version = atoi(buf + 5) * 10 + atoi(buf + 7); + doc->version = 10 * (fz_atof(buf+5) + 0.05); } static void @@ -1177,8 +1177,7 @@ pdf_init_document(pdf_document *doc) version_str = pdf_to_name(obj); if (*version_str) { - /* TODO: use fz_atof for parsing instead? */ - int version = atoi(version_str) * 10 + atoi(version_str + 2); + int version = 10 * (fz_atof(version_str) + 0.05); if (version > doc->version) doc->version = version; } -- cgit v1.2.3