Bug 705450 : XPS interpreter

Fixed buffer overflow issue in xps_read_zip_part. Caused by part sizes resulting in integer overflow to a number less than the actual size of the sum of the parts. Fixed by detecting integer overflow and throwing an error if detected.
author: Ethan Vrhel <ethanvrhel@gmail.com> 2022-06-28 16:04:54 -0700
committer: Ethan Vrhel <ethanvrhel@gmail.com> 2022-07-01 13:41:26 -0700
commit: 364b85368a4fae40f86500e5bc3d4ce96920f353 (patch)
tree: 042bd1e0b191a138ab2c27d6a73730f949432b8f /xps
parent: e9a38f1ec009ed097aacf4f5e764bbfd6c7c4862 (diff)
download: ghostpdl-364b85368a4fae40f86500e5bc3d4ce96920f353.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/xps/xpszip.c b/xps/xpszip.c
index 14ac76751..13f698ac5 100644
--- a/xps/xpszip.c
+++ b/xps/xpszip.c
@@ -340,6 +340,7 @@ xps_read_zip_part(xps_context_t *ctx, const char *partname)
     xps_entry_t *ent;
     xps_part_t *part;
     int count, size, offset, i;
+    int last_size;
     int code = 0;
     const char *name;
     int seen_last = 0;
@@ -382,7 +383,15 @@ xps_read_zip_part(xps_context_t *ctx, const char *partname)
         if (!ent)
             break;
         count ++;
+        last_size = size;
         size += ent->usize;
+
+        /* check for integer overflow */
+        if (size < last_size)
+        {
+            gs_throw1(-1, "part '%s' is too large", partname);
+            return NULL;
+        }
     }
     if (!seen_last)
     {
author	Ethan Vrhel <ethanvrhel@gmail.com>	2022-06-28 16:04:54 -0700
committer	Ethan Vrhel <ethanvrhel@gmail.com>	2022-07-01 13:41:26 -0700
commit	364b85368a4fae40f86500e5bc3d4ce96920f353 (patch)
tree	042bd1e0b191a138ab2c27d6a73730f949432b8f /xps
parent	e9a38f1ec009ed097aacf4f5e764bbfd6c7c4862 (diff)
download	ghostpdl-364b85368a4fae40f86500e5bc3d4ce96920f353.tar.gz