1. clamav-devel
  2. Commit 992de2e2c05f84510d05c1ae8fb69aa950ff4ef3
Browse code

bb12031 - 0.100.1 - resolving pdf parsing DoS; patch by aCaB

Mickey Sola authored on 2018/05/25 06:02:40
Showing 1 changed files
libclamav/pdfng.c
History View file @ 992de2e
... ... 
@@ -801,23 +801,23 @@ struct pdf_dict *pdf_parse_dict(struct pdf_struct *pdf, struct pdf_obj *obj, siz
801 801
802 802 
         switch (begin[0]) {
803 803 
             case '(':
804 
-                val = pdf_parse_string(pdf, obj, begin, objsz, NULL, &p1, NULL);
804 
+                val = pdf_parse_string(pdf, obj, begin, end - objstart, NULL, &p1, NULL);
805 805 
                 begin = p1+2;
806 806 
                 break;
807 807 
             case '[':
808 
-                arr = pdf_parse_array(pdf, obj, objsz, begin, &p1);
808 
+                arr = pdf_parse_array(pdf, obj, end - objstart, begin, &p1);
809 809 
                 begin = p1+1;
810 810 
                 break;
811 811 
             case '<':
812 812 
                 if ((size_t)(begin - objstart) < objsz - 2) {
813 813 
                     if (begin[1] == '<') {
814 
-                        dict = pdf_parse_dict(pdf, obj, objsz, begin, &p1);
814 
+                        dict = pdf_parse_dict(pdf, obj, end - objstart, begin, &p1);
815 815 
                         begin = p1+2;
816 816 
                         break;
817 817 
                     }
818 818 
                 }
819 819
820 
-                val = pdf_parse_string(pdf, obj, begin, objsz, NULL, &p1, NULL);
820 
+                val = pdf_parse_string(pdf, obj, begin, end - objstart, NULL, &p1, NULL);
821 821 
                 begin = p1+2;
822 822 
                 break;
823 823 
             default:
... ... 
@@ -992,19 +992,19 @@ struct pdf_array *pdf_parse_array(struct pdf_struct *pdf, struct pdf_obj *obj, s
992 992 
         switch (begin[0]) {
993 993 
             case '<':
994 994 
                 if ((size_t)(begin - objstart) < objsz - 2 && begin[1] == '<') {
995 
-                    dict = pdf_parse_dict(pdf, obj, objsz, begin, &begin);
995 
+                    dict = pdf_parse_dict(pdf, obj, end - objstart, begin, &begin);
996 996 
                     begin+=2;
997 997 
                     break;
998 998 
                 }
999 999
1000 1000 
                 /* Not a dictionary. Intentionally fall through. */
1001 1001 
             case '(':
1002 
-                val = pdf_parse_string(pdf, obj, begin, objsz, NULL, &begin, NULL);
1002 
+                val = pdf_parse_string(pdf, obj, begin, end - objstart, NULL, &begin, NULL);
1003 1003 
                 begin += 2;
1004 1004 
                 break;
1005 1005 
             case '[':
1006 1006 
                 /* XXX We should have a recursion counter here */
1007 
-                arr = pdf_parse_array(pdf, obj, objsz, begin, &begin);
1007 
+                arr = pdf_parse_array(pdf, obj, end - objstart, begin, &begin);
1008 1008 
                 begin+=1;
1009 1009 
                 break;
1010 1010 
             default: