diff options
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | libqpdf/BitStream.cc | 4 |
2 files changed, 7 insertions, 0 deletions
@@ -1,5 +1,8 @@ 2013-10-05 Jay Berkenbilt <ejb@ql.org> + * Security fix: perform additional argument sanity checks when + reading bit streams. + * Security fix: in QUtil::toUTF8, change bounds checking to avoid having a pointer point temporarily outside the bounds of an array. Some compiler optimizations could have made the original diff --git a/libqpdf/BitStream.cc b/libqpdf/BitStream.cc index eb511f72..14eae55d 100644 --- a/libqpdf/BitStream.cc +++ b/libqpdf/BitStream.cc @@ -16,6 +16,10 @@ BitStream::reset() { p = start; bit_offset = 7; + if (static_cast<unsigned int>(nbytes) > static_cast<unsigned int>(-1) / 8) + { + throw std::runtime_error("array too large for bitstream"); + } bits_available = 8 * nbytes; } |