From 019f1955194360600ecf0644959ceca6734c2d7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?T=C3=B6r=C3=B6k=20Edvin?= Date: Tue, 30 Nov 2010 13:09:40 +0200 Subject: [PATCH] fix crashes (bb #2358, bb #2380, bb #2396). Thanks to Arkadiusz Miskiewicz for bb #2380. --- ChangeLog | 5 +++++ libclamav/pdf.c | 11 +++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9eb9ba9dd5..339aff92c6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +Tue Nov 30 13:07:15 EET 2010 (edwin) +------------------------------------ + * libclamav/pdf.c: fix crashes (bb #2358, bb #2380, bb #2396). + Thanks to Arkadiusz Miskiewicz for bb #2380. + Tue Nov 30 12:09:56 CET 2010 (acab) ----------------------------------- * libclamav/pe_icons.c: off by one while (bb#2344) diff --git a/libclamav/pdf.c b/libclamav/pdf.c index 6ff503f756..ae9d03c0ca 100644 --- a/libclamav/pdf.c +++ b/libclamav/pdf.c @@ -113,7 +113,10 @@ static int find_stream_bounds(const char *start, off_t bytesleft, off_t byteslef const char *q2, *q; if ((q2 = cli_memstr(start, bytesleft, "stream", 6))) { q2 += 6; - if (q2[0] == '\xd' && q2[1] == '\xa') + bytesleft -= q2 - start; + if (bytesleft < 1) + return 0; + if (bytesleft >= 2 && q2[0] == '\xd' && q2[1] == '\xa') q2 += 2; if (q2[0] == '\xa') q2++; @@ -348,9 +351,9 @@ static int filter_flatedecode(struct pdf_struct *pdf, struct pdf_obj *obj, const char *q = pdf_nextlinestart(buf, len); if (q) { skipped = 1; - buf = q; inflateEnd(&stream); len -= q - buf; + buf = q; stream.next_in = (Bytef *)buf; stream.avail_in = len; stream.next_out = (Bytef *)output; @@ -468,6 +471,10 @@ static int find_length(struct pdf_struct *pdf, return 0; } q = pdf_nextobject(pdf->map+obj->start, pdf->size - obj->start); + if (!q) { + cli_dbgmsg("cli_pdf: next object not found\n"); + return 0; + } length = atoi(q); } }