Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Array out of bounds #1

Closed
shijin0925 opened this issue Jun 20, 2020 · 1 comment
Closed

Array out of bounds #1

shijin0925 opened this issue Jun 20, 2020 · 1 comment

Comments

@shijin0925
Copy link

In the text2pdf.c file, the function SatrtPage does not check the maximum value of the parameter when operating on the array locations

when can see the maximum value of the parameter should less than 1000,but we got 1129

4

3

1

2

crash.txt:
crash.txt

@hyphenrf
Copy link

Well, since the author explicitly forbids publishing modified source, here's a patch instead 😉

--- text2pdf.c  2020-11-21 22:21:15.621999407 +0200
+++ text2pdf.c	2020-11-21 22:46:49.262204933 +0200
@@ -38,6 +38,35 @@
 #define LINE_END '\015'  /* CR used in xref table */
 #define FF 12            /* formfeed character (^L) */
 
+/* Growable vector of longs */
+typedef struct vector vector;
+struct vector {
+  long *ptr;
+  long len;
+};
+
+void grow(vector* vec) {
+  long len = vec->len < 0? 1000 : vec->len * 2;
+  long* ptr = realloc(vec->ptr, len * sizeof(long));
+  if(!ptr) {
+    perror("text2pdf");
+    free(vec->ptr);
+    exit(EXIT_FAILURE);
+  }
+  vec->ptr = ptr;
+  vec->len = len;
+}
+
+void set(vector* vec, int n, long val) {
+  if (n < vec->len) {
+    vec->ptr[n] = val;
+  } else {
+  	grow(vec);
+  	set(vec, n, val);
+	}
+}
+/****************************/
+
 char *appname = "text2pdf v1.1";
 char *progname = "text2pdf";
 
@@ -45,7 +74,7 @@
 int pageNo = 0;
 int pageObs[500];
 int curObj = 5;  /* object number being or last written */
-long locations[1000];
+vector locations = {NULL, -1};
 
 char font[256];
 char *defaultFont = "Courier";
@@ -62,7 +91,7 @@
 int pageHeight = 792;
 int pageWidth = 612;
 
-unsigned char buf[1024];
+char buf[1024]; /* unsigned is useless within this program's semantics */
 unsigned long fpos = 0;
 
 void writestr(char *str) {
@@ -91,7 +120,7 @@
   strftime(datestring, 30, "D:%Y%m%d%H%M%S", ltime);
 
   writestr("%PDF-1.1\n");
-  locations[1] = fpos;
+  set(&locations, 1, fpos);
   writestr("1 0 obj\n");
   writestr("<<\n");
   sprintf(buf, "/CreationDate (%s)\n", datestring); writestr(buf);
@@ -100,7 +129,7 @@
   writestr(">>\n");
   writestr("endobj\n");
 
-  locations[2] = fpos;
+  set(&locations, 2, fpos);
   writestr("2 0 obj\n");
   writestr("<<\n");
   writestr("/Type /Catalog\n");
@@ -108,7 +137,7 @@
   writestr(">>\n");
   writestr("endobj\n");
 
-  locations[4] = fpos;
+  set(&locations, 4, fpos);
   writestr("4 0 obj\n");
   writestr("<<\n");
   writestr("/Type /Font\n");
@@ -161,7 +190,7 @@
   writestr(">>\n");
   writestr("endobj\n");
 
-  locations[5] = fpos;
+  set(&locations, 5, fpos);
   writestr("5 0 obj\n");
   writestr("<<\n");
   writestr("  /Font << /F1 4 0 R >>\n");
@@ -173,7 +202,7 @@
 long StartPage(){
   long strmPos;
 
-  locations[++curObj] = fpos;
+  set(&locations, ++curObj, fpos);
   pageObs[++pageNo] = curObj;
   sprintf(buf, "%d 0 obj\n", curObj); writestr(buf);
   writestr("<<\n");
@@ -184,7 +213,7 @@
   writestr(">>\n");
   writestr("endobj\n");
   
-  locations[curObj] = fpos;
+  set(&locations, curObj, fpos);
   sprintf(buf, "%d 0 obj\n", curObj); writestr(buf);
   writestr("<<\n");
   sprintf(buf, "/Length %d 0 R\n", curObj + 1); writestr(buf);
@@ -208,7 +237,7 @@
   writestr("endstream\n");
   writestr("endobj\n");
 
-  locations[++curObj] = fpos;
+  set(&locations, ++curObj, fpos);
   sprintf(buf, "%d 0 obj\n", curObj); writestr(buf);
   sprintf(buf, "%lu\n", streamEnd - streamStart); writestr(buf);
   writestr("endobj\n");
@@ -289,7 +318,7 @@
   long xref;
   int i;
 
-  locations[3] = fpos;
+  set(&locations, 3, fpos);
   writestr("3 0 obj\n");
   writestr("<<\n");
   writestr("/Type /Pages\n");
@@ -307,7 +336,7 @@
   /* note that \n is translated by writestr */
   sprintf(buf, "0000000000 65535 f %c", LINE_END); writestr(buf);
   for (i = 1; i <= curObj; i++) {
-    sprintf(buf, "%.10ld 00000 n %c", locations[i], LINE_END);
+    sprintf(buf, "%.10ld 00000 n %c", locations.ptr[i], LINE_END);
     writestr(buf);
   }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants