diff options
author | Jay Berkenbilt <ejb@ql.org> | 2013-10-05 11:48:56 +0200 |
---|---|---|
committer | Jay Berkenbilt <ejb@ql.org> | 2013-10-10 01:50:07 +0200 |
commit | c2e91d8ec30838077191fac8303974f149b41c4f (patch) | |
tree | 48f5e0af432d08ee168593d39c44b509ac547373 | |
parent | b9fe85be288e792da628ddb343acb259c47cc343 (diff) | |
download | qpdf-c2e91d8ec30838077191fac8303974f149b41c4f.tar.zst |
Security: keep cur_byte pointing into bytes array
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | libqpdf/QUtil.cc | 4 |
2 files changed, 9 insertions, 2 deletions
@@ -1,3 +1,10 @@ +2013-10-05 Jay Berkenbilt <ejb@ql.org> + + * Security fix: in QUtil::toUTF8, change bounds checking to avoid + having a pointer point temporarily outside the bounds of an + array. Some compiler optimizations could have made the original + code unsafe. + 2013-07-10 Jay Berkenbilt <ejb@ql.org> * 5.0.0: release diff --git a/libqpdf/QUtil.cc b/libqpdf/QUtil.cc index c158e803..84ff004b 100644 --- a/libqpdf/QUtil.cc +++ b/libqpdf/QUtil.cc @@ -360,11 +360,11 @@ QUtil::toUTF8(unsigned long uval) // Maximum that will fit in high byte now shrinks by one bit maxval >>= 1; // Slide to the left one byte - --cur_byte; - if (cur_byte < bytes) + if (cur_byte <= bytes) { throw std::logic_error("QUtil::toUTF8: overflow error"); } + --cur_byte; } // If maxval is k bits long, the high (7 - k) bits of the // resulting byte must be high. |