From e7be17be8685c5b57bf51a778fd188dbd4c74039 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Fri, 10 Jan 2014 16:20:27 +0000 Subject: Bug 694889: Fix valgrind issues due to empty indexed spaces. If indexed spaces are empty (or truncated) we use garbage values when they are read. Spot this and pad with 0s to at least be consistent. Fixes: 013b2dcbd0207501e922910ac335eb59_asan_heap-oob_a59696_5952_500.pdf 5440f8bc8af12e5f7050e59b7ee008cd_asan_heap-oob_a59dd9_5952_500.pdf fa8c712b03a7b02d6a12856ce042a44e_signal_sigsegv_a59b06_5847_493.pdf Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for providing the fuzzing files. --- source/pdf/pdf-colorspace.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source') diff --git a/source/pdf/pdf-colorspace.c b/source/pdf/pdf-colorspace.c index 5fd569c3..b29826a5 100644 --- a/source/pdf/pdf-colorspace.c +++ b/source/pdf/pdf-colorspace.c @@ -213,7 +213,9 @@ load_indexed(pdf_document *doc, pdf_obj *array) fz_try(ctx) { file = pdf_open_stream(doc, pdf_to_num(lookupobj), pdf_to_gen(lookupobj)); - (void)fz_read(file, lookup, n); + i = fz_read(file, lookup, n); + if (i < n) + memset(lookup+i, 0, n-i); } fz_always(ctx) { -- cgit v1.2.3