aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog4
-rw-r--r--src/plugins/dvi_extractor.c20
2 files changed, 17 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index efad82c..6dc5998 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
1Tue Oct 17 08:49:31 CEST 2017
2 Fix integer overflows in DVI extractor found by Leon Zhao, which
3 could cause SEGVs (read-only). -CG
4
1Sun Oct 15 19:36:41 CEST 2017 5Sun Oct 15 19:36:41 CEST 2017
2 Fix potential file descriptor leak (on error handling path). 6 Fix potential file descriptor leak (on error handling path).
3 Fix potential assign-after-free (on IPC error handling path). 7 Fix potential assign-after-free (on IPC error handling path).
diff --git a/src/plugins/dvi_extractor.c b/src/plugins/dvi_extractor.c
index 1f42497..268b48c 100644
--- a/src/plugins/dvi_extractor.c
+++ b/src/plugins/dvi_extractor.c
@@ -1,6 +1,6 @@
1/* 1/*
2 This file is part of libextractor. 2 This file is part of libextractor.
3 Copyright (C) 2002, 2003, 2004, 2012 Vidyut Samanta and Christian Grothoff 3 Copyright (C) 2002, 2003, 2004, 2012, 2017 Vidyut Samanta and Christian Grothoff
4 4
5 libextractor is free software; you can redistribute it and/or modify 5 libextractor is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published 6 it under the terms of the GNU General Public License as published
@@ -175,7 +175,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
175 if (40 >= (iret = ec->read (ec->cls, &buf, 1024))) 175 if (40 >= (iret = ec->read (ec->cls, &buf, 1024)))
176 return; 176 return;
177 data = buf; 177 data = buf;
178 if ((data[0] != 247) || (data[1] != 2)) 178 if ( (data[0] != 247) ||
179 (data[1] != 2) )
179 return; /* cannot be DVI or unsupported version */ 180 return; /* cannot be DVI or unsupported version */
180 klen = data[14]; 181 klen = data[14];
181 size = ec->get_size (ec->cls); 182 size = ec->get_size (ec->cls);
@@ -196,9 +197,11 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
196 off += iret; 197 off += iret;
197 } 198 }
198 pos = size - 1; 199 pos = size - 1;
199 while ((223 == data[pos]) && (pos > 0)) 200 while ( (223 == data[pos]) &&
201 (pos > 0) )
200 pos--; 202 pos--;
201 if ((2 != data[pos]) || (pos < 40)) 203 if ( (2 != data[pos]) ||
204 (pos < 40) )
202 goto CLEANUP; 205 goto CLEANUP;
203 pos--; 206 pos--;
204 pos -= 4; 207 pos -= 4;
@@ -207,7 +210,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
207 goto CLEANUP; 210 goto CLEANUP;
208 opos = pos; 211 opos = pos;
209 pos = getIntAt (&data[opos + 1]); 212 pos = getIntAt (&data[opos + 1]);
210 if (pos + 25 > size) 213 if ( (pos + 25 > size) ||
214 (pos + 25 < pos) )
211 goto CLEANUP; 215 goto CLEANUP;
212 /* assert pos at 'post' command */ 216 /* assert pos at 'post' command */
213 if (data[pos] != 248) 217 if (data[pos] != 248)
@@ -219,7 +223,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
219 { 223 {
220 if (UINT32_MAX == pos) 224 if (UINT32_MAX == pos)
221 break; 225 break;
222 if (pos + 45 > size) 226 if ( (pos + 45 > size) ||
227 (pos + 45 < pos) )
223 goto CLEANUP; 228 goto CLEANUP;
224 if (data[pos] != 139) /* expect 'bop' */ 229 if (data[pos] != 139) /* expect 'bop' */
225 goto CLEANUP; 230 goto CLEANUP;
@@ -268,7 +273,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
268 } 273 }
269 /* try to find PDF/ps special */ 274 /* try to find PDF/ps special */
270 pos = opos; 275 pos = opos;
271 while (pos < size - 100) 276 while ( (size >= 100) &&
277 (pos < size - 100) )
272 { 278 {
273 switch (data[pos]) 279 switch (data[pos])
274 { 280 {
generated by cgit v1.2.3 (git 2.39.1) at 2024-04-16 13:25:12 +0000