From 835488aa0fb45f7c752f12f7184c76df26e8e5dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20B=C3=BCnzli?= Date: Wed, 8 Jan 2014 15:42:12 +0100 Subject: sanitize values in fz_open_predict This fixes a NULL pointer dereference in 2192b04848b2d8210d1a33e3ddeb2742_asan_heap-oob_a5a57d_2745_2844.pdf Also, replace MAXC with FZ_MAX_COLORS. --- source/fitz/filter-predict.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'source') diff --git a/source/fitz/filter-predict.c b/source/fitz/filter-predict.c index 6bc75c8e..e8f885a7 100644 --- a/source/fitz/filter-predict.c +++ b/source/fitz/filter-predict.c @@ -2,8 +2,6 @@ /* TODO: check if this works with 16bpp images */ -enum { MAXC = 32 }; - typedef struct fz_predict_s fz_predict; struct fz_predict_s @@ -61,7 +59,7 @@ static inline int paeth(int a, int b, int c) static void fz_predict_tiff(fz_predict *state, unsigned char *out, unsigned char *in, int len) { - int left[MAXC]; + int left[FZ_MAX_COLORS]; int i, k; const int mask = (1 << state->bpc)-1; @@ -217,6 +215,13 @@ fz_open_predict(fz_stream *chain, int predictor, int columns, int colors, int bp fz_try(ctx) { + if (bpc != 1 && bpc != 2 && bpc != 4 && bpc != 8 && bpc != 16) + fz_throw(ctx, FZ_ERROR_GENERIC, "invalid number of bits per component: %d", bpc); + if (colors > FZ_MAX_COLORS) + fz_throw(ctx, FZ_ERROR_GENERIC, "too many color components (%d > %d)", colors, FZ_MAX_COLORS); + if (columns >= INT_MAX / (bpc * colors)) + fz_throw(ctx, FZ_ERROR_GENERIC, "too many columns lead to an integer overflow (%d)", columns); + state = fz_malloc_struct(ctx, fz_predict); state->in = NULL; state->out = NULL; -- cgit v1.2.3