From fb20d5b74fcd9aac44b90a475ddb3b4c2f55ae9e Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Wed, 8 Jan 2014 13:51:05 +0000 Subject: Fuzzing fix: Overrun in fz_predict_png If a file specifies a silly number of bpp in the PNG predictor it can overrun a buffer. This was shown by: tests_private/fuzzing/mupdf2/013b2dcbd0207501e922910ac335eb59_*.pdf but no longer shows up due to Simons earlier fix. Following discussion we still think it's worth having this fix in, as truncated data streams can cause len < bpp. Possibly we should throw an error here, but I think that's not necessary as we will return the short length, and the image reading code will notice that the image is truncated already. Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for providing the fuzzing files. --- source/fitz/filter-predict.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source') diff --git a/source/fitz/filter-predict.c b/source/fitz/filter-predict.c index e8f885a7..66101753 100644 --- a/source/fitz/filter-predict.c +++ b/source/fitz/filter-predict.c @@ -87,6 +87,9 @@ fz_predict_png(fz_predict *state, unsigned char *out, unsigned char *in, int len int i; unsigned char *ref = state->ref; + if (bpp > len) + bpp = len; + switch (predictor) { case 0: -- cgit v1.2.3