diff options
| author | Tor Andersson <tor.andersson@artifex.com> | 2019-01-11 14:25:29 +0100 |
|---|---|---|
| committer | Tor Andersson <tor.andersson@artifex.com> | 2019-01-11 14:25:29 +0100 |
| commit | 24281b198d446da47441b132aba2aa09a5c27ba5 (patch) | |
| tree | 41f5d7149fddbfbc8cca60dbff5b02d6d5967f72 /xps | |
| parent | 1698937968690ca1ff99e50ae8c1c044718505b8 (diff) | |
| download | ghostpdl-24281b198d446da47441b132aba2aa09a5c27ba5.tar.gz | |
Bug 697630: Check ZIP entry sizes for integer overflow.
Diffstat (limited to 'xps')
| -rw-r--r-- | xps/xpszip.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/xps/xpszip.c b/xps/xpszip.c index 48b8ff462..46ea7ca47 100644 --- a/xps/xpszip.c +++ b/xps/xpszip.c @@ -263,6 +263,9 @@ xps_read_zip_dir(xps_context_t *ctx, int start_offset) (void) getlong(ctx->file); /* ext file atts */ ctx->zip_table[i].offset = getlong(ctx->file); + if (ctx->zip_table[i].csize < 0 || ctx->zip_table[i].usize < 0) + return gs_throw(gs_error_ioerror, "cannot read zip entries larger than 2GB"); + ctx->zip_table[i].name = xps_alloc(ctx, namesize + 1); if (!ctx->zip_table[i].name) return gs_rethrow(gs_error_VMerror, "cannot allocate zip entry name"); |