Security: keep cur_byte pointing into bytes array

author: Jay Berkenbilt <ejb@ql.org> 2013-10-05 11:48:56 +0200
committer: Jay Berkenbilt <ejb@ql.org> 2013-10-10 01:50:07 +0200
commit: c2e91d8ec30838077191fac8303974f149b41c4f (patch)
tree: 48f5e0af432d08ee168593d39c44b509ac547373
parent: b9fe85be288e792da628ddb343acb259c47cc343 (diff)
download: qpdf-c2e91d8ec30838077191fac8303974f149b41c4f.tar.zst
2 files changed, 9 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 4d5a0e6a..449f5f93 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2013-10-05  Jay Berkenbilt  <ejb@ql.org>
+
+	* Security fix: in QUtil::toUTF8, change bounds checking to avoid
+	having a pointer point temporarily outside the bounds of an
+	array.  Some compiler optimizations could have made the original
+	code unsafe.
+
 2013-07-10  Jay Berkenbilt  <ejb@ql.org>
 
 	* 5.0.0: release
diff --git a/libqpdf/QUtil.cc b/libqpdf/QUtil.cc
index c158e803..84ff004b 100644
--- a/libqpdf/QUtil.cc
+++ b/libqpdf/QUtil.cc
@@ -360,11 +360,11 @@ QUtil::toUTF8(unsigned long uval)
 	    // Maximum that will fit in high byte now shrinks by one bit
 	    maxval >>= 1;
 	    // Slide to the left one byte
-	    --cur_byte;
-	    if (cur_byte < bytes)
+	    if (cur_byte <= bytes)
 	    {
 		throw std::logic_error("QUtil::toUTF8: overflow error");
 	    }
+	    --cur_byte;
 	}
 	// If maxval is k bits long, the high (7 - k) bits of the
 	// resulting byte must be high.
author	Jay Berkenbilt <ejb@ql.org>	2013-10-05 11:48:56 +0200
committer	Jay Berkenbilt <ejb@ql.org>	2013-10-10 01:50:07 +0200
commit	c2e91d8ec30838077191fac8303974f149b41c4f (patch)
tree	48f5e0af432d08ee168593d39c44b509ac547373
parent	b9fe85be288e792da628ddb343acb259c47cc343 (diff)
download	qpdf-c2e91d8ec30838077191fac8303974f149b41c4f.tar.zst