From c2e91d8ec30838077191fac8303974f149b41c4f Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Sat, 5 Oct 2013 05:48:56 -0400
Subject: Security: keep cur_byte pointing into bytes array

---
 libqpdf/QUtil.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'libqpdf/QUtil.cc')

diff --git a/libqpdf/QUtil.cc b/libqpdf/QUtil.cc
index c158e803..84ff004b 100644
--- a/libqpdf/QUtil.cc
+++ b/libqpdf/QUtil.cc
@@ -360,11 +360,11 @@ QUtil::toUTF8(unsigned long uval)
 	    // Maximum that will fit in high byte now shrinks by one bit
 	    maxval >>= 1;
 	    // Slide to the left one byte
-	    --cur_byte;
-	    if (cur_byte < bytes)
+	    if (cur_byte <= bytes)
 	    {
 		throw std::logic_error("QUtil::toUTF8: overflow error");
 	    }
+	    --cur_byte;
 	}
 	// If maxval is k bits long, the high (7 - k) bits of the
 	// resulting byte must be high.
-- 
cgit v1.2.3-70-g09d2