summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2019-08-23 09:35:53 +0200
committerChristian Grothoff <christian@grothoff.org>2019-08-23 09:35:53 +0200
commitd2b032452241708bee68d02aa02092cfbfba951a (patch)
treeb3d7aa034e73c422933958522d8948b2e451e5e9
parent2fb6d01cf03ea7142fe1759fc8241f55331bf876 (diff)
fix #5846
-rw-r--r--ChangeLog3
-rw-r--r--src/plugins/dvi_extractor.c88
2 files changed, 48 insertions, 43 deletions
diff --git a/ChangeLog b/ChangeLog
index 80a5ca1..4661050 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+Fri 23 Aug 2019 09:34:35 AM CEST
+ Fix invalid read for malformed DVI files (#5846). -CG
+
Mon 13 May 2019 07:42:19 AM CEST
Consistently use AS_IF and AS_CASE in configure.ac. -CG
diff --git a/src/plugins/dvi_extractor.c b/src/plugins/dvi_extractor.c
index 268b48c..e3aa450 100644
--- a/src/plugins/dvi_extractor.c
+++ b/src/plugins/dvi_extractor.c
@@ -1,6 +1,6 @@
/*
This file is part of libextractor.
- Copyright (C) 2002, 2003, 2004, 2012, 2017 Vidyut Samanta and Christian Grothoff
+ Copyright (C) 2002, 2003, 2004, 2012, 2017, 2019 Vidyut Samanta and Christian Grothoff
libextractor is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published
@@ -182,6 +182,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
size = ec->get_size (ec->cls);
if (size > 16 * 1024 * 1024)
return; /* too large */
+ if (klen + 15 > size)
+ return; /* malformed klen */
if (NULL == (data = malloc ((size_t) size)))
return; /* out of memory */
memcpy (data, buf, iret);
@@ -189,16 +191,16 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
while (off < size)
{
if (0 >= (iret = ec->read (ec->cls, &buf, 16 * 1024)))
- {
- free (data);
- return;
- }
+ {
+ free (data);
+ return;
+ }
memcpy (&data[off], buf, iret);
off += iret;
}
pos = size - 1;
while ( (223 == data[pos]) &&
- (pos > 0) )
+ (pos > 0) )
pos--;
if ( (2 != data[pos]) ||
(pos < 40) )
@@ -225,9 +227,9 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
break;
if ( (pos + 45 > size) ||
(pos + 45 < pos) )
- goto CLEANUP;
+ goto CLEANUP;
if (data[pos] != 139) /* expect 'bop' */
- goto CLEANUP;
+ goto CLEANUP;
pageCount++;
opos = pos;
pos = getIntAt (&data[opos + 41]);
@@ -238,24 +240,24 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
}
/* ok, now we believe it's a dvi... */
snprintf (pages,
- sizeof (pages),
- "%u",
- pageCount);
+ sizeof (pages),
+ "%u",
+ pageCount);
if (0 != ec->proc (ec->cls,
- "dvi",
- EXTRACTOR_METATYPE_PAGE_COUNT,
- EXTRACTOR_METAFORMAT_UTF8,
- "text/plain",
- pages,
- strlen (pages) + 1))
+ "dvi",
+ EXTRACTOR_METATYPE_PAGE_COUNT,
+ EXTRACTOR_METAFORMAT_UTF8,
+ "text/plain",
+ pages,
+ strlen (pages) + 1))
goto CLEANUP;
if (0 != ec->proc (ec->cls,
- "dvi",
- EXTRACTOR_METATYPE_MIMETYPE,
- EXTRACTOR_METAFORMAT_UTF8,
- "text/plain",
- "application/x-dvi",
- strlen ("application/x-dvi") + 1))
+ "dvi",
+ EXTRACTOR_METATYPE_MIMETYPE,
+ EXTRACTOR_METAFORMAT_UTF8,
+ "text/plain",
+ "application/x-dvi",
+ strlen ("application/x-dvi") + 1))
goto CLEANUP;
{
char comment[klen + 1];
@@ -263,18 +265,18 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
comment[klen] = '\0';
memcpy (comment, &data[15], klen);
if (0 != ec->proc (ec->cls,
- "dvi",
- EXTRACTOR_METATYPE_COMMENT,
- EXTRACTOR_METAFORMAT_C_STRING,
- "text/plain",
- comment,
- klen + 1))
+ "dvi",
+ EXTRACTOR_METATYPE_COMMENT,
+ EXTRACTOR_METAFORMAT_C_STRING,
+ "text/plain",
+ comment,
+ klen + 1))
goto CLEANUP;
}
/* try to find PDF/ps special */
pos = opos;
while ( (size >= 100) &&
- (pos < size - 100) )
+ (pos < size - 100) )
{
switch (data[pos])
{
@@ -284,34 +286,34 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
break;
case 239: /* zzz1 */
len = data[pos + 1];
- if (pos + 2 + len < size)
- if (0 != parseZZZ ((const char *) data, pos + 2, len, ec->proc, ec->cls))
- goto CLEANUP;
+ if ( (pos + 2 + len < size) &&
+ (0 != parseZZZ ((const char *) data, pos + 2, len, ec->proc, ec->cls)) )
+ goto CLEANUP;
pos += len + 2;
break;
case 240: /* zzz2 */
len = getShortAt (&data[pos + 1]);
- if (pos + 3 + len < size)
- if (0 != parseZZZ ((const char *) data, pos + 3, len, ec->proc, ec->cls))
- goto CLEANUP;
+ if ( (pos + 3 + len < size) &&
+ (0 != parseZZZ ((const char *) data, pos + 3, len, ec->proc, ec->cls)) )
+ goto CLEANUP;
pos += len + 3;
break;
case 241: /* zzz3, who uses that? */
len = (getShortAt (&data[pos + 1])) + 65536 * data[pos + 3];
- if (pos + 4 + len < size)
- if (0 != parseZZZ ((const char *) data, pos + 4, len, ec->proc, ec->cls))
- goto CLEANUP;
+ if ( (pos + 4 + len < size) &&
+ (0 != parseZZZ ((const char *) data, pos + 4, len, ec->proc, ec->cls)) )
+ goto CLEANUP;
pos += len + 4;
break;
case 242: /* zzz4, hurray! */
len = getIntAt (&data[pos + 1]);
- if (pos + 1 + len < size)
- if (0 != parseZZZ ((const char *) data, pos + 5, len, ec->proc, ec->cls))
- goto CLEANUP;
+ if ( (pos + 1 + len < size) &&
+ (0 != parseZZZ ((const char *) data, pos + 5, len, ec->proc, ec->cls)) )
+ goto CLEANUP;
pos += len + 5;
break;
default: /* unsupported opcode, abort scan */
- goto CLEANUP;
+ goto CLEANUP;
}
}
CLEANUP: