diff options
author | Ken Sharp <ken.sharp@artifex.com> | 2022-04-12 15:23:09 +0100 |
---|---|---|
committer | Chris Liddell <chris.liddell@artifex.com> | 2022-04-14 11:13:37 +0100 |
commit | 2f8ffcd76be954b2c9080abd27b42c760e282e72 (patch) | |
tree | 6afc25a90044b3af618883ed7cfbbbe93986bc21 /pdf/ghostpdf.c | |
parent | 1a18793a02e1dab7676d594366b93847fde6fe44 (diff) | |
download | ghostpdl-2f8ffcd76be954b2c9080abd27b42c760e282e72.tar.gz |
Fixes the buffer overrun. To also fix the failure to find the startxref
uncomment the pdfi_seek to SEEK_SET.
For me, as is, on Linux built for ASAN this gives a heap-use-after-free
error with the bug 705181
Diffstat (limited to 'pdf/ghostpdf.c')
-rw-r--r-- | pdf/ghostpdf.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/pdf/ghostpdf.c b/pdf/ghostpdf.c index 8d88b090d..6077d1cc1 100644 --- a/pdf/ghostpdf.c +++ b/pdf/ghostpdf.c @@ -1144,6 +1144,7 @@ int pdfi_set_input_stream(pdf_context *ctx, stream *stm) } /* Determine file size */ + pdfi_seek(ctx, ctx->main_stream, 0, SEEK_SET); pdfi_seek(ctx, ctx->main_stream, 0, SEEK_END); ctx->main_stream_length = pdfi_tell(ctx->main_stream); Offset = BUF_SIZE; @@ -1268,8 +1269,15 @@ int pdfi_set_input_stream(pdf_context *ctx, stream *stm) */ if (last_lineend) { leftover = last_lineend - Buffer; - memmove(Buffer + bytes - leftover, last_lineend, leftover); - bytes -= leftover; + /* Ensure we don't try to copy more than half a buffer, because that will + * end up overrunning the buffer end. Since we are only doing this to + * ensure we don't drop a partial 'startxref' that's far more than enough. + */ + if (leftover < BUF_SIZE / 2) { + memmove(Buffer + bytes - leftover, last_lineend, leftover); + bytes -= leftover; + } else + leftover = 0; } else leftover = 0; } |