Browse code
fuzz - 12181 - Fixed 1-byte buffer over-read in PDF parser.
Micah Snyder authored on 2019/01/23 08:04:53Showing 1 changed files
| ... | ... |
@@ -2396,8 +2396,10 @@ void pdf_parseobj(struct pdf_struct *pdf, struct pdf_obj *obj) |
| 2396 | 2396 |
|
| 2397 | 2397 |
objid = objid << 8; |
| 2398 | 2398 |
|
| 2399 |
- while (isdigit(*q2)) |
|
| 2399 |
+ while ((dict_remaining > 0) && isdigit(*q2)) {
|
|
| 2400 | 2400 |
q2++; |
| 2401 |
+ dict_remaining--; |
|
| 2402 |
+ } |
|
| 2401 | 2403 |
|
| 2402 | 2404 |
q2_old = q2; |
| 2403 | 2405 |
q2 = pdf_nextobject(q2, dict_remaining); |
| ... | ... |
@@ -3640,6 +3642,11 @@ done: |
| 3640 | 3640 |
static const char * |
| 3641 | 3641 |
pdf_nextlinestart(const char *ptr, size_t len) |
| 3642 | 3642 |
{
|
| 3643 |
+ if (!ptr || (0 == len)) {
|
|
| 3644 |
+ /* Invalid args */ |
|
| 3645 |
+ return NULL; |
|
| 3646 |
+ } |
|
| 3647 |
+ |
|
| 3643 | 3648 |
while(strchr("\r\n", *ptr) == NULL) {
|
| 3644 | 3649 |
if(--len == 0L) |
| 3645 | 3650 |
return NULL; |