From 7a439812b2226c1e3b203ec603f05b39d159f91e Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Wed, 28 Dec 2016 13:20:16 +0100
Subject: Fix potential buffer overrun when decoding UTF-16 in XML parser.

---
 source/fitz/xml.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'source')

diff --git a/source/fitz/xml.c b/source/fitz/xml.c
index 47b9461b..d063ee33 100644
--- a/source/fitz/xml.c
+++ b/source/fitz/xml.c
@@ -593,7 +593,7 @@ static char *convert_to_utf8(fz_context *doc, unsigned char *s, size_t n, int *d
 
 	if (s[0] == 0xFE && s[1] == 0xFF) {
 		s += 2;
-		dst = d = fz_malloc(doc, n * 2);
+		dst = d = fz_malloc(doc, n * FZ_UTFMAX);
 		while (s + 1 < e) {
 			c = s[0] << 8 | s[1];
 			d += fz_runetochar(d, c);
@@ -606,7 +606,7 @@ static char *convert_to_utf8(fz_context *doc, unsigned char *s, size_t n, int *d
 
 	if (s[0] == 0xFF && s[1] == 0xFE) {
 		s += 2;
-		dst = d = fz_malloc(doc, n * 2);
+		dst = d = fz_malloc(doc, n * FZ_UTFMAX);
 		while (s + 1 < e) {
 			c = s[0] | s[1] << 8;
 			d += fz_runetochar(d, c);
-- 
cgit v1.2.3