50 lines
1.6 KiB
Diff
50 lines
1.6 KiB
Diff
From 3885f8307726fa7611b39fa1376403406bdbd55c Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Hutyra <zhutyra@centrum.cz>
|
|
Date: Mon, 20 Jan 2025 16:13:46 +0000
|
|
Subject: PDF interpreter - Guard against unsigned int overflow
|
|
|
|
Bug #708253 - see bug report for details.
|
|
|
|
CVE-2025-27834
|
|
---
|
|
pdf/pdf_func.c | 13 +++++++++++++
|
|
1 file changed, 13 insertions(+)
|
|
|
|
diff --git a/pdf/pdf_func.c b/pdf/pdf_func.c
|
|
index 9b7d5bb..9fba5e1 100644
|
|
--- a/pdf/pdf_func.c
|
|
+++ b/pdf/pdf_func.c
|
|
@@ -153,6 +153,8 @@ pdfi_parse_type4_func_stream(pdf_context *ctx, pdf_c_stream *function_stream, in
|
|
byte *p = (ops ? ops + *size : NULL);
|
|
|
|
do {
|
|
+ if (*size > max_uint / 2)
|
|
+ return gs_note_error(gs_error_VMerror);
|
|
code = pdfi_read_bytes(ctx, &c, 1, 1, function_stream);
|
|
if (code < 0)
|
|
break;
|
|
@@ -318,6 +320,11 @@ pdfi_build_function_4(pdf_context *ctx, gs_function_params_t * mnDR,
|
|
if (code < 0)
|
|
goto function_4_error;
|
|
|
|
+ if (size > max_uint - 1) {
|
|
+ code = gs_note_error(gs_error_VMerror);
|
|
+ goto function_4_error;
|
|
+ }
|
|
+
|
|
ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_function_4(ops)");
|
|
if (ops == NULL) {
|
|
code = gs_error_VMerror;
|
|
@@ -816,6 +823,11 @@ int pdfi_build_halftone_function(pdf_context *ctx, gs_function_t ** ppfn, byte *
|
|
if (code < 0)
|
|
goto halftone_function_error;
|
|
|
|
+ if (size > max_uint - 1) {
|
|
+ code = gs_note_error(gs_error_VMerror);
|
|
+ goto halftone_function_error;
|
|
+ }
|
|
+
|
|
ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_halftone_function(ops)");
|
|
if (ops == NULL) {
|
|
code = gs_error_VMerror;
|