From 5da66a0fca3475720bad085eb6d630e4e9b79e11 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Wed, 29 Jun 2016 12:24:09 +0200
Subject: Fix bug when opening small PDF-files.

The PDF repair code suffered an buffer index overflow while searching
the buffer of file data if the file (and hence the buffer) was
sufficiently small. This also happened while attempting to open a path
pointing to a directory as they are treated as zero byte files.
---
 source/pdf/pdf-repair.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'source')

diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
index 6e8405cb..b0c56be0 100644
--- a/source/pdf/pdf-repair.c
+++ b/source/pdf/pdf-repair.c
@@ -318,12 +318,15 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
 		n = fz_read(ctx, doc->file, (unsigned char *)buf->scratch, fz_mini(buf->size, 1024));
 
 		fz_seek(ctx, doc->file, 0, 0);
-		for (j = 0; j < n - 4; j++)
+		if (n >= 4)
 		{
-			if (memcmp(&buf->scratch[j], "%PDF", 4) == 0)
+			for (j = 0; j < n - 4; j++)
 			{
-				fz_seek(ctx, doc->file, j + 8, 0); /* skip "%PDF-X.Y" */
-				break;
+				if (memcmp(&buf->scratch[j], "%PDF", 4) == 0)
+				{
+					fz_seek(ctx, doc->file, j + 8, 0); /* skip "%PDF-X.Y" */
+					break;
+				}
 			}
 		}
 
-- 
cgit v1.2.3