diff options
author | Ken Sharp <ken.sharp@artifex.com> | 2023-01-03 12:42:27 +0000 |
---|---|---|
committer | Ken Sharp <ken.sharp@artifex.com> | 2023-01-03 12:43:57 +0000 |
commit | 1b5facd696e036ce738b93505ffd5ad03f0cb63c (patch) | |
tree | 35891f80e96d176cd3b2637bfd35b71e542eb7f8 /pdf | |
parent | edd17616f1a0467b109b16cc2ee8407ae4c87af7 (diff) | |
download | ghostpdl-1b5facd696e036ce738b93505ffd5ad03f0cb63c.tar.gz |
GhostPDF - bound check the W array values in an XRefStrm
OSS-fuzz #54436
The PDF file had been fuzzed so that one of the W entries was negative,
which is not valid. This later caused problems when we tried to read
that number of bytes (cast to unsigned) from a file into a buffer which
was sized based on the signed value. That caused a buffer overrun and
subsequent crash.
Diffstat (limited to 'pdf')
-rw-r--r-- | pdf/pdf_xref.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c index 01ba016ee..db6f725e8 100644 --- a/pdf/pdf_xref.c +++ b/pdf/pdf_xref.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2018-2022 Artifex Software, Inc. +/* Copyright (C) 2018-2023 Artifex Software, Inc. All Rights Reserved. This software is provided AS-IS with no warranty, either express or @@ -292,11 +292,13 @@ static int pdfi_process_xref_stream(pdf_context *ctx, pdf_stream *stream_obj, pd } for (i=0;i<3;i++) { code = pdfi_array_get_int(ctx, a, (uint64_t)i, (int64_t *)&W[i]); - if (code < 0) { + if (code < 0 || W[i] < 0) { pdfi_countdown(a); pdfi_close_file(ctx, XRefStrm); pdfi_countdown(ctx->xref_table); ctx->xref_table = NULL; + if (W[i] < 0) + code = gs_note_error(gs_error_rangecheck); return code; } } |