Browse code
bb11980 - fixing oob read in pdf parsing, applying to 0.99
Micah Snyder authored on 2018/02/10 11:42:47Showing 2 changed files
| ... | ... |
@@ -590,7 +590,14 @@ char *pdf_parse_string(struct pdf_struct *pdf, struct pdf_obj *obj, const char * |
| 590 | 590 |
|
| 591 | 591 |
/* Make a best effort to find the end of the string and determine if UTF-* */ |
| 592 | 592 |
p2 = ++p1; |
| 593 |
- while (p2 < objstart + objsize) {
|
|
| 593 |
+ if (!str) {
|
|
| 594 |
+ checklen = cli_strnlen(p1, objsize) + 1; |
|
| 595 |
+ } |
|
| 596 |
+ else {
|
|
| 597 |
+ checklen = cli_strnlen(p1, checklen) + 1; |
|
| 598 |
+ } |
|
| 599 |
+ |
|
| 600 |
+ while (p2 < objstart + checklen) {
|
|
| 594 | 601 |
int shouldbreak=0; |
| 595 | 602 |
|
| 596 | 603 |
switch (*p2) {
|
| ... | ... |
@@ -610,7 +617,7 @@ char *pdf_parse_string(struct pdf_struct *pdf, struct pdf_obj *obj, const char * |
| 610 | 610 |
p2++; |
| 611 | 611 |
} |
| 612 | 612 |
|
| 613 |
- if (p2 == objstart + objsize) |
|
| 613 |
+ if (p2 == objstart + checklen) |
|
| 614 | 614 |
return NULL; |
| 615 | 615 |
|
| 616 | 616 |
len = (size_t)(p2 - p1) + 1; |