From 22339500c243e564eadf564b5ae2925e1caf44a9 Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen Date: Sun, 21 Jan 2018 21:08:07 +0100 Subject: [PATCH] Bug 698889: Handle unterminated PDF arrays gracefully. Thanks to oss-fuzz for reporting this. --- source/pdf/pdf-parse.c | 3 +++ 1 file changed, 3 insertions(+) From 2a1611030030e18010a0ab1d69eda0359eb5f585 Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen Date: Wed, 13 Dec 2017 21:14:19 +0100 Subject: [PATCH] Validate that /Size in trailer is in range. --- source/pdf/pdf-xref.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) From 5722ebc5823381ee57c525cbc0d4dc627009979d Mon Sep 17 00:00:00 2001 From: Tor Andersson Date: Fri, 1 Dec 2017 16:25:39 +0100 Subject: [PATCH] Fix 698787: avoid using "system()" to copy files. --- platform/x11/x11_main.c | 35 ++++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) From d9bc8c6f7fb2e3ec7035bebaaee0edcf59287705 Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen Date: Mon, 22 Jan 2018 17:56:20 +0100 Subject: [PATCH] Bug 698885: When parsing PDF version, make sure to initialize buffer. Thanks to oss-fuzz for reporting this. --- source/pdf/pdf-xref.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- ./source/pdf/pdf-parse.c +++ ./source/pdf/pdf-parse.c @@ -401,6 +401,9 @@ pdf_parse_array(fz_context *ctx, pdf_document *doc, fz_stream *file, pdf_lexbuf switch (tok) { + case PDF_TOK_EOF: + fz_throw(ctx, FZ_ERROR_SYNTAX, "array not closed before end of file"); + case PDF_TOK_CLOSE_ARRAY: op = ary; goto end; --- ./source/pdf/pdf-xref.c +++ ./source/pdf/pdf-xref.c @@ -748,8 +748,8 @@ pdf_xref_size_from_old_trailer(fz_context *ctx, pdf_document *doc, pdf_lexbuf *b trailer = pdf_parse_dict(ctx, doc, doc->file, buf); size = pdf_to_int(ctx, pdf_dict_get(ctx, trailer, PDF_NAME_Size)); - if (!size) - fz_throw(ctx, FZ_ERROR_GENERIC, "trailer missing Size entry"); + if (size < 0 || size > PDF_MAX_OBJECT_NUMBER + 1) + fz_throw(ctx, FZ_ERROR_GENERIC, "trailer Size entry out of range"); } fz_always(ctx) { --- ./platform/x11/x11_main.c +++ ./platform/x11/x11_main.c @@ -317,13 +317,38 @@ void winreplacefile(char *source, char *target) void wincopyfile(char *source, char *target) { - char *buf = malloc(strlen(source)+strlen(target)+5); - if (buf) + FILE *in, *out; + char buf[32 << 10]; + int n; + + in = fopen(source, "rb"); + if (!in) + { + winerror(&gapp, "cannot open source file for copying"); + return; + } + out = fopen(target, "wb"); + if (!out) + { + winerror(&gapp, "cannot open target file for copying"); + fclose(in); + return; + } + + for (;;) { - sprintf(buf, "cp %s %s", source, target); - system(buf); - free(buf); + n = fread(buf, 1, sizeof buf, in); + fwrite(buf, 1, n, out); + if (n < sizeof buf) + { + if (ferror(in)) + winerror(&gapp, "cannot read data from source file"); + break; + } } + + fclose(out); + fclose(in); } void cleanup(pdfapp_t *app) --- ./source/pdf/pdf-xref.c +++ ./source/pdf/pdf-xref.c @@ -590,7 +590,7 @@ pdf_load_version(fz_context *ctx, pdf_document *doc) fz_seek(ctx, doc->file, 0, SEEK_SET); fz_read_line(ctx, doc->file, buf, sizeof buf); - if (memcmp(buf, "%PDF-", 5) != 0) + if (strlen(buf) < 5 || memcmp(buf, "%PDF-", 5) != 0) fz_throw(ctx, FZ_ERROR_GENERIC, "cannot recognize version marker"); doc->version = 10 * (fz_atof(buf+5) + 0.05f); -- 2.9.1