46b1efb4f0
- CVE-2018-6192 (rh bz #1539845 #1539846) (gs bz #698916) - CVE-2018-6544 (rh bz #1542264 #1542265) (gs bz #698830 #698965) - CVE-2018-1000051 (rh bz #1544847 #1544848) (gs bz #698825 #698873)
43 lines
1.5 KiB
Diff
43 lines
1.5 KiB
Diff
From 5e411a99604ff6be5db9e273ee84737204113299 Mon Sep 17 00:00:00 2001
|
|
Message-Id: <5e411a99604ff6be5db9e273ee84737204113299.1518615489.git.mjg@fedoraproject.org>
|
|
From: Sebastian Rasmussen <sebras@gmail.com>
|
|
Date: Tue, 30 Jan 2018 02:05:57 +0100
|
|
Subject: [PATCH] Bug 698916: Indirect object numbers must be in range.
|
|
|
|
---
|
|
source/pdf/pdf-parse.c | 2 ++
|
|
source/pdf/pdf-xref.c | 4 ++--
|
|
2 files changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c
|
|
index 7904ebd7..b4783ae8 100644
|
|
--- a/source/pdf/pdf-parse.c
|
|
+++ b/source/pdf/pdf-parse.c
|
|
@@ -623,6 +623,8 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc,
|
|
fz_throw(ctx, FZ_ERROR_SYNTAX, "expected object number");
|
|
}
|
|
num = buf->i;
|
|
+ if (num < 0 || num > PDF_MAX_OBJECT_NUMBER)
|
|
+ fz_throw(ctx, FZ_ERROR_SYNTAX, "object number out of range");
|
|
|
|
tok = pdf_lex(ctx, file, buf);
|
|
if (tok != PDF_TOK_INT)
|
|
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
|
|
index 4997ebe5..cfcd0a21 100644
|
|
--- a/source/pdf/pdf-xref.c
|
|
+++ b/source/pdf/pdf-xref.c
|
|
@@ -228,8 +228,8 @@ pdf_xref_entry *pdf_get_populating_xref_entry(fz_context *ctx, pdf_document *doc
|
|
}
|
|
|
|
/* Prevent accidental heap underflow */
|
|
- if (num < 0)
|
|
- fz_throw(ctx, FZ_ERROR_GENERIC, "object number must not be negative (%d)", num);
|
|
+ if (num < 0 || num > PDF_MAX_OBJECT_NUMBER)
|
|
+ fz_throw(ctx, FZ_ERROR_GENERIC, "object number out of range (%d)", num);
|
|
|
|
/* Return the pointer to the entry in the last section. */
|
|
xref = &doc->xref_sections[doc->num_xref_sections-1];
|
|
--
|
|
2.16.1.312.g365a692731
|
|
|