From cc5e1c6444523ae4d7dca0feea40a41be1cbb7b2 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Wed, 8 Jan 2014 19:36:13 +0000 Subject: fuzzing fix for null colorspace derefence. Bad annotation appearance streams can cause font_recs to have invalid values in. Avoid this partly by hardening the code against duff values, and partly by setting sane defaults before the parsing. This can be seen in: 33bfbe117bfef7fafc3f927acf50a2e7_signal_sigsegv_81dd96_6257_5205.pdf Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for providing the example files. --- source/pdf/pdf-appearance.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'source') diff --git a/source/pdf/pdf-appearance.c b/source/pdf/pdf-appearance.c index c5c16ba6..e57a3202 100644 --- a/source/pdf/pdf-appearance.c +++ b/source/pdf/pdf-appearance.c @@ -1811,6 +1811,10 @@ void pdf_update_free_text_annot_appearance(pdf_document *doc, pdf_annot *annot) memset(&font_rec, 0, sizeof(font_rec)); + /* Set some sane defaults in case the parsing of the font_rec fails */ + font_rec.da_rec.col_size = 1; /* Default to greyscale */ + font_rec.da_rec.font_size = 12; /* Default to 12 point */ + fz_var(dlist); fz_var(dev); fz_var(text); @@ -1826,7 +1830,7 @@ void pdf_update_free_text_annot_appearance(pdf_document *doc, pdf_annot *annot) switch (font_rec.da_rec.col_size) { - case 1: cs = fz_device_gray(doc->ctx); break; + default: cs = fz_device_gray(doc->ctx); break; case 3: cs = fz_device_rgb(doc->ctx); break; case 4: cs = fz_device_cmyk(doc->ctx); break; } -- cgit v1.2.3