[gs-commits] mupdf/master - 0_6-199-g57d4495 - Check that object offsets are within the file when reading the xref table.

Tor Andersson tor at ghostscript.com
Sun Jul 18 15:26:19 UTC 2010 

commit 57d4495abfd5f4bf7782161253f02143a162c5c5
Author: Tor Andersson <tor at ghostscript.com>
Date:   Sun Jul 18 15:00:31 2010 +0000

    Check that object offsets are within the file when reading the xref table.
    
    Ignore-this: 2074993745da765345547806260d8862
    
    darcs-hash:20100718150031-f546f-45be3736d114b663d38f93dcea4f3a9e4d3931a6.gz

 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/mupdf/mupdf.h b/mupdf/mupdf.h
index 2489d79..8aeb574 100644
--- a/mupdf/mupdf.h
+++ b/mupdf/mupdf.h
@@ -121,6 +121,7 @@ struct pdf_xref_s
 	fz_stream *file;
 	int version;
 	int startxref;
+	int filesize;
 	pdf_crypt *crypt;
 	fz_obj *trailer;
 
diff --git a/mupdf/pdf_xref.c b/mupdf/pdf_xref.c
index 86b97da..eba185e 100644
--- a/mupdf/pdf_xref.c
+++ b/mupdf/pdf_xref.c
@@ -47,7 +47,9 @@ pdf_readstartxref(pdf_xref *xref)
 	if (error)
 		return fz_rethrow(error, "cannot seek to end of file");
 
-	t = MAX(0, fz_tell(xref->file) - ((int)sizeof buf));
+	xref->filesize = fz_tell(xref->file);
+
+	t = MAX(0, xref->filesize - (int)sizeof buf);
 	error = fz_seek(xref->file, t, 0);
 	if (error)
 		return fz_rethrow(error, "cannot seek to offset %d", t);
@@ -269,12 +271,12 @@ pdf_readoldxref(fz_obj **trailerp, pdf_xref *xref, char *buf, int cap)
 			xref->len = ofs + len;
 		}
 
-		for (i = 0; i < len; i++)
+		for (i = ofs; i < ofs + len; i++)
 		{
 			error = fz_read(&n, xref->file, (unsigned char *) buf, 20);
 			if (error)
 				return fz_rethrow(error, "cannot read xref table");
-			if (!xref->table[ofs + i].type)
+			if (!xref->table[i].type)
 			{
 				s = buf;
 
@@ -282,9 +284,12 @@ pdf_readoldxref(fz_obj **trailerp, pdf_xref *xref, char *buf, int cap)
 				while (*s != '\0' && iswhite(*s))
 					s++;
 
-				xref->table[ofs + i].ofs = atoi(s);
-				xref->table[ofs + i].gen = atoi(s + 11);
-				xref->table[ofs + i].type = s[17];
+				xref->table[i].ofs = atoi(s);
+				xref->table[i].gen = atoi(s + 11);
+				xref->table[i].type = s[17];
+
+				if (xref->table[i].ofs < 0 || xref->table[i].ofs >= xref->filesize)
+					return fz_throw("object offset out of range: %d", xref->table[i].ofs);
 			}
 		}
 	}
@@ -347,6 +352,9 @@ pdf_readnewxrefsection(pdf_xref *xref, fz_stream *stm, int i0, int i1, int w0, i
 			xref->table[i].type = t == 0 ? 'f' : t == 1 ? 'n' : t == 2 ? 'o' : 0;
 			xref->table[i].ofs = w1 ? b : 0;
 			xref->table[i].gen = w2 ? c : 0;
+
+			if (xref->table[i].ofs < 0 || xref->table[i].ofs >= xref->filesize)
+				return fz_throw("object offset out of range: %d", xref->table[i].ofs);
 		}
 	}
 

--
git/hooks/post-receive

More information about the gs-commits mailing list