diff options
author | Ken Sharp <ken.sharp@artifex.com> | 2022-03-08 10:38:47 +0000 |
---|---|---|
committer | Chris Liddell <chris.liddell@artifex.com> | 2022-03-08 17:47:07 +0000 |
commit | 3817df3154b8dd0067e124221bf38494dd12c0af (patch) | |
tree | ba8ed57f1f8914504e4f503d051bfe2027682c7d | |
parent | 1ecd9e1cb03930e5c68a910110cdf116a9516510 (diff) | |
download | ghostpdl-3817df3154b8dd0067e124221bf38494dd12c0af.tar.gz |
OSS_fuzz #45347 - validate image parameters
The file has an inline image with a /H (height) of -19. The interpreter
was simply passing that to the image rendering code which, not
unreasonably did nothing, but reported it had consumed -19 rows.
We then used that to try and skip over the image data, but treating
a negative number as an unsigned integer led to us trying to skip
ridiculously large amounts of data and eventually caused a crash in the
file handling.
This commit sets negative values to 0 (which then causes us to skip
the image) unless STOPONWARNING is set in which case we return an error.
-rw-r--r-- | pdf/pdf_image.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/pdf/pdf_image.c b/pdf/pdf_image.c index fa2e5362f..554cc3448 100644 --- a/pdf/pdf_image.c +++ b/pdf/pdf_image.c @@ -471,6 +471,14 @@ pdfi_get_image_info(pdf_context *ctx, pdf_stream *image_obj, goto errorExit; } } + if (info->Height < 0) { + pdfi_set_warning(ctx, 0, NULL, W_PDF_BAD_IMAGEDICT, "pdfi_get_image_info", NULL); + if (ctx->args.pdfstoponwarning) { + code = gs_note_error(gs_error_rangecheck); + goto errorExit; + } + info->Height = 0; + } /* Required */ code = pdfi_dict_get_number2(ctx, image_dict, "Width", "W", &temp_f); @@ -484,6 +492,14 @@ pdfi_get_image_info(pdf_context *ctx, pdf_stream *image_obj, goto errorExit; } } + if (info->Width < 0) { + pdfi_set_warning(ctx, 0, NULL, W_PDF_BAD_IMAGEDICT, "pdfi_get_image_info", NULL); + if (ctx->args.pdfstoponwarning) { + code = gs_note_error(gs_error_rangecheck); + goto errorExit; + } + info->Width = 0; + } /* Optional, default false */ code = pdfi_dict_get_bool2(ctx, image_dict, "ImageMask", "IM", &info->ImageMask); |