Commit c2e91d8ec30838077191fac8303974f149b41c4f
1 parent
b9fe85be
Security: keep cur_byte pointing into bytes array
Showing
2 changed files
with
9 additions
and
2 deletions
ChangeLog
| 1 | +2013-10-05 Jay Berkenbilt <ejb@ql.org> | |
| 2 | + | |
| 3 | + * Security fix: in QUtil::toUTF8, change bounds checking to avoid | |
| 4 | + having a pointer point temporarily outside the bounds of an | |
| 5 | + array. Some compiler optimizations could have made the original | |
| 6 | + code unsafe. | |
| 7 | + | |
| 1 | 8 | 2013-07-10 Jay Berkenbilt <ejb@ql.org> |
| 2 | 9 | |
| 3 | 10 | * 5.0.0: release | ... | ... |
libqpdf/QUtil.cc
| ... | ... | @@ -360,11 +360,11 @@ QUtil::toUTF8(unsigned long uval) |
| 360 | 360 | // Maximum that will fit in high byte now shrinks by one bit |
| 361 | 361 | maxval >>= 1; |
| 362 | 362 | // Slide to the left one byte |
| 363 | - --cur_byte; | |
| 364 | - if (cur_byte < bytes) | |
| 363 | + if (cur_byte <= bytes) | |
| 365 | 364 | { |
| 366 | 365 | throw std::logic_error("QUtil::toUTF8: overflow error"); |
| 367 | 366 | } |
| 367 | + --cur_byte; | |
| 368 | 368 | } |
| 369 | 369 | // If maxval is k bits long, the high (7 - k) bits of the |
| 370 | 370 | // resulting byte must be high. | ... | ... |