Browse code
bb11980 & bb12008 (again). Change to pdf_parse_string after evaluating function usage and the pdf format.
Micah Snyder authored on 2018/03/15 02:51:20Showing 1 changed files
| ... | ... |
@@ -384,6 +384,12 @@ char *pdf_parse_string(struct pdf_struct *pdf, struct pdf_obj *obj, const char * |
| 384 | 384 |
uint32_t objid; |
| 385 | 385 |
size_t i; |
| 386 | 386 |
|
| 387 |
+ if (objsize > (size_t)(pdf->size - (objstart - pdf->map))) {
|
|
| 388 |
+ /* Possible attempt to exploit bb11980 */ |
|
| 389 |
+ cli_dbgmsg("Malformed PDF: Alleged size of obj in PDF would extend further than the PDF data.\n");
|
|
| 390 |
+ return NULL; |
|
| 391 |
+ } |
|
| 392 |
+ |
|
| 387 | 393 |
/* |
| 388 | 394 |
* Yes, all of this is required to find the start and end of a potentially UTF-* string |
| 389 | 395 |
* |
| ... | ... |
@@ -590,9 +596,8 @@ char *pdf_parse_string(struct pdf_struct *pdf, struct pdf_obj *obj, const char * |
| 590 | 590 |
|
| 591 | 591 |
/* Make a best effort to find the end of the string and determine if UTF-* */ |
| 592 | 592 |
p2 = ++p1; |
| 593 |
- checklen = cli_strnlen(p1, objsize - (size_t)(p1 - oobj)) + 1; |
|
| 594 | 593 |
|
| 595 |
- while (p2 < objstart + checklen) {
|
|
| 594 |
+ while (p2 < objstart + objsize) {
|
|
| 596 | 595 |
int shouldbreak=0; |
| 597 | 596 |
|
| 598 | 597 |
switch (*p2) {
|
| ... | ... |
@@ -612,7 +617,7 @@ char *pdf_parse_string(struct pdf_struct *pdf, struct pdf_obj *obj, const char * |
| 612 | 612 |
p2++; |
| 613 | 613 |
} |
| 614 | 614 |
|
| 615 |
- if (p2 >= objstart + checklen) |
|
| 615 |
+ if (p2 >= objstart + objsize) |
|
| 616 | 616 |
return NULL; |
| 617 | 617 |
|
| 618 | 618 |
len = (size_t)(p2 - p1) + 1; |