diff options
author | Ethan Vrhel <ethanvrhel@gmail.com> | 2022-06-28 16:04:54 -0700 |
---|---|---|
committer | Ethan Vrhel <ethanvrhel@gmail.com> | 2022-07-01 13:41:26 -0700 |
commit | 364b85368a4fae40f86500e5bc3d4ce96920f353 (patch) | |
tree | 042bd1e0b191a138ab2c27d6a73730f949432b8f /xps | |
parent | e9a38f1ec009ed097aacf4f5e764bbfd6c7c4862 (diff) | |
download | ghostpdl-364b85368a4fae40f86500e5bc3d4ce96920f353.tar.gz |
Bug 705450 : XPS interpreter
Fixed buffer overflow issue in xps_read_zip_part. Caused by part
sizes resulting in integer overflow to a number less than the actual
size of the sum of the parts. Fixed by detecting integer overflow and
throwing an error if detected.
Diffstat (limited to 'xps')
-rw-r--r-- | xps/xpszip.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/xps/xpszip.c b/xps/xpszip.c index 14ac76751..13f698ac5 100644 --- a/xps/xpszip.c +++ b/xps/xpszip.c @@ -340,6 +340,7 @@ xps_read_zip_part(xps_context_t *ctx, const char *partname) xps_entry_t *ent; xps_part_t *part; int count, size, offset, i; + int last_size; int code = 0; const char *name; int seen_last = 0; @@ -382,7 +383,15 @@ xps_read_zip_part(xps_context_t *ctx, const char *partname) if (!ent) break; count ++; + last_size = size; size += ent->usize; + + /* check for integer overflow */ + if (size < last_size) + { + gs_throw1(-1, "part '%s' is too large", partname); + return NULL; + } } if (!seen_last) { |