New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Array out of bounds #1
Comments
|
Well, since the author explicitly forbids publishing modified source, here's a patch instead --- text2pdf.c 2020-11-21 22:21:15.621999407 +0200
+++ text2pdf.c 2020-11-21 22:46:49.262204933 +0200
@@ -38,6 +38,35 @@
#define LINE_END '\015' /* CR used in xref table */
#define FF 12 /* formfeed character (^L) */
+/* Growable vector of longs */
+typedef struct vector vector;
+struct vector {
+ long *ptr;
+ long len;
+};
+
+void grow(vector* vec) {
+ long len = vec->len < 0? 1000 : vec->len * 2;
+ long* ptr = realloc(vec->ptr, len * sizeof(long));
+ if(!ptr) {
+ perror("text2pdf");
+ free(vec->ptr);
+ exit(EXIT_FAILURE);
+ }
+ vec->ptr = ptr;
+ vec->len = len;
+}
+
+void set(vector* vec, int n, long val) {
+ if (n < vec->len) {
+ vec->ptr[n] = val;
+ } else {
+ grow(vec);
+ set(vec, n, val);
+ }
+}
+/****************************/
+
char *appname = "text2pdf v1.1";
char *progname = "text2pdf";
@@ -45,7 +74,7 @@
int pageNo = 0;
int pageObs[500];
int curObj = 5; /* object number being or last written */
-long locations[1000];
+vector locations = {NULL, -1};
char font[256];
char *defaultFont = "Courier";
@@ -62,7 +91,7 @@
int pageHeight = 792;
int pageWidth = 612;
-unsigned char buf[1024];
+char buf[1024]; /* unsigned is useless within this program's semantics */
unsigned long fpos = 0;
void writestr(char *str) {
@@ -91,7 +120,7 @@
strftime(datestring, 30, "D:%Y%m%d%H%M%S", ltime);
writestr("%PDF-1.1\n");
- locations[1] = fpos;
+ set(&locations, 1, fpos);
writestr("1 0 obj\n");
writestr("<<\n");
sprintf(buf, "/CreationDate (%s)\n", datestring); writestr(buf);
@@ -100,7 +129,7 @@
writestr(">>\n");
writestr("endobj\n");
- locations[2] = fpos;
+ set(&locations, 2, fpos);
writestr("2 0 obj\n");
writestr("<<\n");
writestr("/Type /Catalog\n");
@@ -108,7 +137,7 @@
writestr(">>\n");
writestr("endobj\n");
- locations[4] = fpos;
+ set(&locations, 4, fpos);
writestr("4 0 obj\n");
writestr("<<\n");
writestr("/Type /Font\n");
@@ -161,7 +190,7 @@
writestr(">>\n");
writestr("endobj\n");
- locations[5] = fpos;
+ set(&locations, 5, fpos);
writestr("5 0 obj\n");
writestr("<<\n");
writestr(" /Font << /F1 4 0 R >>\n");
@@ -173,7 +202,7 @@
long StartPage(){
long strmPos;
- locations[++curObj] = fpos;
+ set(&locations, ++curObj, fpos);
pageObs[++pageNo] = curObj;
sprintf(buf, "%d 0 obj\n", curObj); writestr(buf);
writestr("<<\n");
@@ -184,7 +213,7 @@
writestr(">>\n");
writestr("endobj\n");
- locations[curObj] = fpos;
+ set(&locations, curObj, fpos);
sprintf(buf, "%d 0 obj\n", curObj); writestr(buf);
writestr("<<\n");
sprintf(buf, "/Length %d 0 R\n", curObj + 1); writestr(buf);
@@ -208,7 +237,7 @@
writestr("endstream\n");
writestr("endobj\n");
- locations[++curObj] = fpos;
+ set(&locations, ++curObj, fpos);
sprintf(buf, "%d 0 obj\n", curObj); writestr(buf);
sprintf(buf, "%lu\n", streamEnd - streamStart); writestr(buf);
writestr("endobj\n");
@@ -289,7 +318,7 @@
long xref;
int i;
- locations[3] = fpos;
+ set(&locations, 3, fpos);
writestr("3 0 obj\n");
writestr("<<\n");
writestr("/Type /Pages\n");
@@ -307,7 +336,7 @@
/* note that \n is translated by writestr */
sprintf(buf, "0000000000 65535 f %c", LINE_END); writestr(buf);
for (i = 1; i <= curObj; i++) {
- sprintf(buf, "%.10ld 00000 n %c", locations[i], LINE_END);
+ sprintf(buf, "%.10ld 00000 n %c", locations.ptr[i], LINE_END);
writestr(buf);
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the text2pdf.c file, the function SatrtPage does not check the maximum value of the parameter when operating on the array locations
when can see the maximum value of the parameter should less than 1000,but we got 1129
crash.txt:
crash.txt
The text was updated successfully, but these errors were encountered: