RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 05:07:34 +00:00
Code Issues Activity Actions

LibPDF: Ensure xref stream field widths are within expected range

Browse source 
Previously, an xref stream with a field with larger than 8 would
result in an undefined shift occurring. We now ensure that each field
width is a number and is less than or equal to 8.
This commit is contained in:
Tim Ledbetter 2023-10-28 09:03:09 +01:00 committed by Tim Flynn
parent 596773f12f
commit 5c0c55d2c0
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
Userland/Libraries/LibPDF/DocumentParser.cpp
View file

@ -430,7 +430,12 @@ PDFErrorOr<NonnullRefPtr<XRefTable>> DocumentParser::parse_xref_stream()
for (int i = 0; i < count; i++) {
Array<long, 3> fields;
for (size_t field_index = 0; field_index < 3; ++field_index) {
if (!field_sizes->at(field_index).has_u32())
return error("Malformed xref stream");
auto field_size = field_sizes->at(field_index).get_u32();
if (field_size > 8)
return error("Malformed xref stream");
if (byte_index + field_size > stream->bytes().size())
return error("The xref stream data cut off early");