Commit eb1b1264b46f02550201e3e5856ff575fa47a0f7
1 parent
c2e91d8e
Security: fix potential multiplication overflow
Better sanity check inputs to bit stream reader
Showing
2 changed files
with
7 additions
and
0 deletions
ChangeLog
| 1 | 2013-10-05 Jay Berkenbilt <ejb@ql.org> | 1 | 2013-10-05 Jay Berkenbilt <ejb@ql.org> |
| 2 | 2 | ||
| 3 | + * Security fix: perform additional argument sanity checks when | ||
| 4 | + reading bit streams. | ||
| 5 | + | ||
| 3 | * Security fix: in QUtil::toUTF8, change bounds checking to avoid | 6 | * Security fix: in QUtil::toUTF8, change bounds checking to avoid |
| 4 | having a pointer point temporarily outside the bounds of an | 7 | having a pointer point temporarily outside the bounds of an |
| 5 | array. Some compiler optimizations could have made the original | 8 | array. Some compiler optimizations could have made the original |
libqpdf/BitStream.cc
| @@ -16,6 +16,10 @@ BitStream::reset() | @@ -16,6 +16,10 @@ BitStream::reset() | ||
| 16 | { | 16 | { |
| 17 | p = start; | 17 | p = start; |
| 18 | bit_offset = 7; | 18 | bit_offset = 7; |
| 19 | + if (static_cast<unsigned int>(nbytes) > static_cast<unsigned int>(-1) / 8) | ||
| 20 | + { | ||
| 21 | + throw std::runtime_error("array too large for bitstream"); | ||
| 22 | + } | ||
| 19 | bits_available = 8 * nbytes; | 23 | bits_available = 8 * nbytes; |
| 20 | } | 24 | } |
| 21 | 25 |