Commit c2e91d8ec30838077191fac8303974f149b41c4f
1 parent
b9fe85be
Security: keep cur_byte pointing into bytes array
Showing
2 changed files
with
9 additions
and
2 deletions
ChangeLog
| 1 | +2013-10-05 Jay Berkenbilt <ejb@ql.org> | ||
| 2 | + | ||
| 3 | + * Security fix: in QUtil::toUTF8, change bounds checking to avoid | ||
| 4 | + having a pointer point temporarily outside the bounds of an | ||
| 5 | + array. Some compiler optimizations could have made the original | ||
| 6 | + code unsafe. | ||
| 7 | + | ||
| 1 | 2013-07-10 Jay Berkenbilt <ejb@ql.org> | 8 | 2013-07-10 Jay Berkenbilt <ejb@ql.org> |
| 2 | 9 | ||
| 3 | * 5.0.0: release | 10 | * 5.0.0: release |
libqpdf/QUtil.cc
| @@ -360,11 +360,11 @@ QUtil::toUTF8(unsigned long uval) | @@ -360,11 +360,11 @@ QUtil::toUTF8(unsigned long uval) | ||
| 360 | // Maximum that will fit in high byte now shrinks by one bit | 360 | // Maximum that will fit in high byte now shrinks by one bit |
| 361 | maxval >>= 1; | 361 | maxval >>= 1; |
| 362 | // Slide to the left one byte | 362 | // Slide to the left one byte |
| 363 | - --cur_byte; | ||
| 364 | - if (cur_byte < bytes) | 363 | + if (cur_byte <= bytes) |
| 365 | { | 364 | { |
| 366 | throw std::logic_error("QUtil::toUTF8: overflow error"); | 365 | throw std::logic_error("QUtil::toUTF8: overflow error"); |
| 367 | } | 366 | } |
| 367 | + --cur_byte; | ||
| 368 | } | 368 | } |
| 369 | // If maxval is k bits long, the high (7 - k) bits of the | 369 | // If maxval is k bits long, the high (7 - k) bits of the |
| 370 | // resulting byte must be high. | 370 | // resulting byte must be high. |