mupdf/mupdf-1.12-CVE-2018-6192.patch
Michael J Gruber 46b1efb4f0 CVE-2018-6192 CVE-2018-6544 CVE-2018-1000051
- CVE-2018-6192 (rh bz #1539845 #1539846) (gs bz #698916)
 - CVE-2018-6544 (rh bz #1542264 #1542265) (gs bz #698830 #698965)
 - CVE-2018-1000051 (rh bz #1544847 #1544848) (gs bz #698825 #698873)
2018-02-14 15:10:26 +01:00

43 lines
1.5 KiB
Diff

From 5e411a99604ff6be5db9e273ee84737204113299 Mon Sep 17 00:00:00 2001
Message-Id: <5e411a99604ff6be5db9e273ee84737204113299.1518615489.git.mjg@fedoraproject.org>
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Tue, 30 Jan 2018 02:05:57 +0100
Subject: [PATCH] Bug 698916: Indirect object numbers must be in range.
---
source/pdf/pdf-parse.c | 2 ++
source/pdf/pdf-xref.c | 4 ++--
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c
index 7904ebd7..b4783ae8 100644
--- a/source/pdf/pdf-parse.c
+++ b/source/pdf/pdf-parse.c
@@ -623,6 +623,8 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc,
fz_throw(ctx, FZ_ERROR_SYNTAX, "expected object number");
}
num = buf->i;
+ if (num < 0 || num > PDF_MAX_OBJECT_NUMBER)
+ fz_throw(ctx, FZ_ERROR_SYNTAX, "object number out of range");
tok = pdf_lex(ctx, file, buf);
if (tok != PDF_TOK_INT)
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 4997ebe5..cfcd0a21 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -228,8 +228,8 @@ pdf_xref_entry *pdf_get_populating_xref_entry(fz_context *ctx, pdf_document *doc
}
/* Prevent accidental heap underflow */
- if (num < 0)
- fz_throw(ctx, FZ_ERROR_GENERIC, "object number must not be negative (%d)", num);
+ if (num < 0 || num > PDF_MAX_OBJECT_NUMBER)
+ fz_throw(ctx, FZ_ERROR_GENERIC, "object number out of range (%d)", num);
/* Return the pointer to the entry in the last section. */
xref = &doc->xref_sections[doc->num_xref_sections-1];
--
2.16.1.312.g365a692731