Commit eb1b1264b46f02550201e3e5856ff575fa47a0f7
1 parent
c2e91d8e
Security: fix potential multiplication overflow
Better sanity check inputs to bit stream reader
Showing
2 changed files
with
7 additions
and
0 deletions
ChangeLog
| 1 | 1 | 2013-10-05 Jay Berkenbilt <ejb@ql.org> |
| 2 | 2 | |
| 3 | + * Security fix: perform additional argument sanity checks when | |
| 4 | + reading bit streams. | |
| 5 | + | |
| 3 | 6 | * Security fix: in QUtil::toUTF8, change bounds checking to avoid |
| 4 | 7 | having a pointer point temporarily outside the bounds of an |
| 5 | 8 | array. Some compiler optimizations could have made the original | ... | ... |
libqpdf/BitStream.cc
| ... | ... | @@ -16,6 +16,10 @@ BitStream::reset() |
| 16 | 16 | { |
| 17 | 17 | p = start; |
| 18 | 18 | bit_offset = 7; |
| 19 | + if (static_cast<unsigned int>(nbytes) > static_cast<unsigned int>(-1) / 8) | |
| 20 | + { | |
| 21 | + throw std::runtime_error("array too large for bitstream"); | |
| 22 | + } | |
| 19 | 23 | bits_available = 8 * nbytes; |
| 20 | 24 | } |
| 21 | 25 | ... | ... |