diff options
author | Jay Berkenbilt <ejb@ql.org> | 2013-10-05 12:26:06 +0200 |
---|---|---|
committer | Jay Berkenbilt <ejb@ql.org> | 2013-10-10 01:50:09 +0200 |
commit | 3eb4b066ab3f25f6454214d33b2fc17161812dfa (patch) | |
tree | c6e71e5ed387d5d728e13fcdd57b1bca94c41e50 /libqpdf/QPDF_linearization.cc | |
parent | b097d7a81b5c9cb349fff5c1efe6a0c390025579 (diff) | |
download | qpdf-3eb4b066ab3f25f6454214d33b2fc17161812dfa.tar.zst |
Security: better bounds checks for linearization data
The faulty code was only used during explicit checks of linearization
data. Those checks are not part of normal reading or writing of PDF
files.
Diffstat (limited to 'libqpdf/QPDF_linearization.cc')
-rw-r--r-- | libqpdf/QPDF_linearization.cc | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/libqpdf/QPDF_linearization.cc b/libqpdf/QPDF_linearization.cc index 2c4fefc0..dd09b1c0 100644 --- a/libqpdf/QPDF_linearization.cc +++ b/libqpdf/QPDF_linearization.cc @@ -295,11 +295,25 @@ QPDF::readLinearizationData() readHPageOffset(BitStream(h_buf, h_size)); int HSi = HS.getIntValue(); + if ((HSi < 0) || (HSi >= h_size)) + { + throw QPDFExc(qpdf_e_damaged_pdf, this->file->getName(), + "linearization hint table", + this->file->getLastOffset(), + "/S (shared object) offset is out of bounds"); + } readHSharedObject(BitStream(h_buf + HSi, h_size - HSi)); if (HO.isInteger()) { int HOi = HO.getIntValue(); + if ((HOi < 0) || (HOi >= h_size)) + { + throw QPDFExc(qpdf_e_damaged_pdf, this->file->getName(), + "linearization hint table", + this->file->getLastOffset(), + "/O (outline) offset is out of bounds"); + } readHGeneric(BitStream(h_buf + HOi, h_size - HOi), this->outline_hints); } |