diff options
| author | Jay Berkenbilt <ejb@ql.org> | 2013-10-05 11:51:54 +0200 |
|---|---|---|
| committer | Jay Berkenbilt <ejb@ql.org> | 2013-10-10 01:50:09 +0200 |
| commit | eb1b1264b46f02550201e3e5856ff575fa47a0f7 (patch) | |
| tree | 11bbc4740ffadc8469d8e0edd0ec1c3fbab91973 | |
| parent | c2e91d8ec30838077191fac8303974f149b41c4f (diff) | |
| download | qpdf-eb1b1264b46f02550201e3e5856ff575fa47a0f7.tar.zst | |
Security: fix potential multiplication overflow
Better sanity check inputs to bit stream reader
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | libqpdf/BitStream.cc | 4 |
2 files changed, 7 insertions, 0 deletions
@@ -1,5 +1,8 @@ 2013-10-05 Jay Berkenbilt <ejb@ql.org> + * Security fix: perform additional argument sanity checks when + reading bit streams. + * Security fix: in QUtil::toUTF8, change bounds checking to avoid having a pointer point temporarily outside the bounds of an array. Some compiler optimizations could have made the original diff --git a/libqpdf/BitStream.cc b/libqpdf/BitStream.cc index eb511f72..14eae55d 100644 --- a/libqpdf/BitStream.cc +++ b/libqpdf/BitStream.cc @@ -16,6 +16,10 @@ BitStream::reset() { p = start; bit_offset = 7; + if (static_cast<unsigned int>(nbytes) > static_cast<unsigned int>(-1) / 8) + { + throw std::runtime_error("array too large for bitstream"); + } bits_available = 8 * nbytes; } |