oss-fuzz 44160: Check available buffer space reading xref offsets

The code works out how much buffer it has left to safely use, but it was possible for a malformed file to cause that calculation to run into negative values, then used as an unsigned in parameter, meaning we potentially overflow the buffer. Change it so the parameter is a signed int, and check the value is positive before carrying on - error if it is not.
ArtifexSoftware · Jan 29, 2022 · 76c27d4 · 76c27d4
1 parent 85fa6e1
commit 76c27d4
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c
@@ -546,10 +546,17 @@ static int skip_to_digit(pdf_context *ctx, pdf_c_stream *s, unsigned int limit)
     return read;
 }
 
-static int read_digits(pdf_context *ctx, pdf_c_stream *s, byte *Buffer, unsigned int limit)
+static int read_digits(pdf_context *ctx, pdf_c_stream *s, byte *Buffer, int limit)
 {
     int bytes, read = 0;
 
+    /* Since the "limit" is a value calculate by the caller,
+       it's easier to check it in one place (here) than before
+       every call.
+     */
+    if (limit <= 0)
+        return_error(gs_error_syntaxerror);
+
     do {
         bytes = pdfi_read_bytes(ctx, &Buffer[read], 1, 1, s);
         if (bytes == 0)