From 9c910781c2dd9b7b49fedefc9f140d0c3b1a3896 Mon Sep 17 00:00:00 2001
From: Robin Watts <robin.watts@artifex.com>
Date: Thu, 28 Nov 2013 00:37:10 +0000
Subject: Bug 694127: Valgrind fix for pdf_decode_cmap

A poorly formed string can cause us to overrun the end of the buffer.
Now we check the end of the string at each stage to avoid this.
---
 source/pdf/pdf-cmap.c      | 8 ++++++--
 source/pdf/pdf-interpret.c | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

(limited to 'source')

diff --git a/source/pdf/pdf-cmap.c b/source/pdf/pdf-cmap.c
index c006c6bb..a1f0b0b0 100644
--- a/source/pdf/pdf-cmap.c
+++ b/source/pdf/pdf-cmap.c
@@ -492,12 +492,16 @@ pdf_lookup_cmap_full(pdf_cmap *cmap, int cpt, int *out)
  * multi-byte encoded string.
  */
 int
-pdf_decode_cmap(pdf_cmap *cmap, unsigned char *buf, int *cpt)
+pdf_decode_cmap(pdf_cmap *cmap, unsigned char *buf, unsigned char *end, int *cpt)
 {
 	int k, n, c;
+	int len = end - buf;
+
+	if (len > 4)
+		len = 4;
 
 	c = 0;
-	for (n = 0; n < 4; n++)
+	for (n = 0; n < len; n++)
 	{
 		c = (c << 8) | buf[n];
 		for (k = 0; k < cmap->codespace_len; k++)
diff --git a/source/pdf/pdf-interpret.c b/source/pdf/pdf-interpret.c
index bfdf77ab..71dcbd4e 100644
--- a/source/pdf/pdf-interpret.c
+++ b/source/pdf/pdf-interpret.c
@@ -946,7 +946,7 @@ pdf_show_string(pdf_csi *csi, unsigned char *buf, int len)
 
 	while (buf < end)
 	{
-		int w = pdf_decode_cmap(fontdesc->encoding, buf, &cpt);
+		int w = pdf_decode_cmap(fontdesc->encoding, buf, end, &cpt);
 		buf += w;
 
 		cid = pdf_lookup_cmap(fontdesc->encoding, cpt);
-- 
cgit v1.2.3