From 76c27d4f4dceeba02840a29c6e3ba45989a7daca Mon Sep 17 00:00:00 2001 From: Chris Liddell Date: Sat, 29 Jan 2022 09:27:00 +0000 Subject: [PATCH] oss-fuzz 44160: Check available buffer space reading xref offsets The code works out how much buffer it has left to safely use, but it was possible for a malformed file to cause that calculation to run into negative values, then used as an unsigned in parameter, meaning we potentially overflow the buffer. Change it so the parameter is a signed int, and check the value is positive before carrying on - error if it is not. --- pdf/pdf_xref.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c index 192cb3cac2..1d331649dd 100644 --- a/pdf/pdf_xref.c +++ b/pdf/pdf_xref.c @@ -546,10 +546,17 @@ static int skip_to_digit(pdf_context *ctx, pdf_c_stream *s, unsigned int limit) return read; } -static int read_digits(pdf_context *ctx, pdf_c_stream *s, byte *Buffer, unsigned int limit) +static int read_digits(pdf_context *ctx, pdf_c_stream *s, byte *Buffer, int limit) { int bytes, read = 0; + /* Since the "limit" is a value calculate by the caller, + it's easier to check it in one place (here) than before + every call. + */ + if (limit <= 0) + return_error(gs_error_syntaxerror); + do { bytes = pdfi_read_bytes(ctx, &Buffer[read], 1, 1, s); if (bytes == 0)