Browse code

bb12134: Adding missing len decrement and adding additional len check.

Micah Snyder (micasnyd) authored on 2018/06/09 02:13:13
Showing 1 changed files
... ...
@@ -1627,6 +1627,16 @@ void pdf_parseobj(struct pdf_struct *pdf, struct pdf_obj *obj)
1627 1627
     cli_dbgmsg("cli_pdf: %u %u obj flags: %02x\n", obj->id>>8, obj->id&0xff, obj->flags);
1628 1628
 }
1629 1629
 
1630
+/**
1631
+ * @brief   Given a pointer to a dictionary object and a key, get the key's value.
1632
+ *
1633
+ * @param q0            Offset of the start of the dictionary.
1634
+ * @param[in,out] len   In: The number of bytes in the dictionary.
1635
+ *                      Out: The number of bytes remaining from the start
1636
+ *                           of the value to the end of the dict
1637
+ * @param key           Null terminated 'key' to search for.
1638
+ * @return const char*  Address of the dictionary key's 'value'.
1639
+ */
1630 1640
 static const char *pdf_getdict(const char *q0, int* len, const char *key)
1631 1641
 {
1632 1642
     const char *q;
... ...
@@ -1639,6 +1649,7 @@ static const char *pdf_getdict(const char *q0, int* len, const char *key)
1639 1639
     if (!q0)
1640 1640
         return NULL;
1641 1641
 
1642
+    /* find the key */
1642 1643
     q = cli_memstr(q0, *len, key, strlen(key));
1643 1644
     if (!q) {
1644 1645
         cli_dbgmsg("cli_pdf: %s not found in dict\n", key);
... ...
@@ -1647,12 +1658,15 @@ static const char *pdf_getdict(const char *q0, int* len, const char *key)
1647 1647
 
1648 1648
     *len -= q - q0;
1649 1649
     q0 = q;
1650
+
1651
+    /* find the start of the value object */
1650 1652
     q = pdf_nextobject(q0 + 1, *len - 1);
1651 1653
     if (!q) {
1652 1654
         cli_dbgmsg("cli_pdf: %s is invalid in dict\n", key);
1653 1655
         return NULL;
1654 1656
     }
1655 1657
 
1658
+    /* if the value is a dictionary object, include the < > brackets.*/
1656 1659
     if (q[-1] == '<')
1657 1660
         q--;
1658 1661
 
... ...
@@ -1671,12 +1685,13 @@ static char *pdf_readstring(const char *q0, int len, const char *key, unsigned *
1671 1671
         *qend = q0;
1672 1672
 
1673 1673
     q = pdf_getdict(q0, &len, key);
1674
-    if (!q)
1674
+    if (!q || len <= 0)
1675 1675
         return NULL;
1676 1676
 
1677 1677
     if (*q == '(') {
1678 1678
         int paren = 1;
1679 1679
         start = ++q;
1680
+        len--;
1680 1681
         for (;paren > 0 && len > 0; q++,len--) {
1681 1682
             switch (*q) {
1682 1683
             case '(':
... ...
@@ -1694,6 +1709,11 @@ static char *pdf_readstring(const char *q0, int len, const char *key, unsigned *
1694 1694
             }
1695 1695
         }
1696 1696
 
1697
+        if (len <= 0) {
1698
+            cli_errmsg("pdf_readstring: Invalid, truncated dictionary.\n");
1699
+            return NULL;
1700
+        }
1701
+
1697 1702
         if (qend)
1698 1703
             *qend = q;
1699 1704