Commit 2cbb0f3e authored by Kan-Ru Chen's avatar Kan-Ru Chen

Fixes CVE-2017-15587

Closes: 879055
parent 534162f1
From: Kan-Ru Chen <koster@debian.org>
Date: Mon, 16 Oct 2017 13:14:25 +0200
Subject: Check for integer overflow when validating new style xref Index.
---
source/pdf/pdf-xref.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 14da300..55ad62c 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -918,7 +918,7 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, fz
pdf_xref_entry *table;
int i, n;
- if (i0 < 0 || i1 < 0)
+ if (i0 < 0 || i1 < 0 || __builtin_add_overflow_p(i0, i1, (int)0))
fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
//if (i0 + i1 > pdf_xref_len(ctx, doc))
// fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
......@@ -4,3 +4,4 @@
0004-Fix-698539-Don-t-use-xps-font-if-it-could-not-be-loa.patch
0005-Fix-698540-Check-name-comment-and-meta-size-field-si.patch
0006-Fix-698558-Handle-non-tags-in-tag-name-comparisons.patch
0007-Check-for-integer-overflow-when-validating-new-style.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment