You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
29 lines
1.0 KiB
29 lines
1.0 KiB
7 years ago
|
Description: CVE-2017-7379
|
||
|
|
Acked-By: Markus Koschany <apo@debian.org>
|
||
|
|
Acked-By: Mattia Rizzolo <mattia@debian.org>
|
||
|
|
Last-Update: 2017-05-03
|
||
|
|
Bug-Debian: https://bugs.debian.org/859331
|
||
|
|
Origin: https://sourceforge.net/p/podofo/code/1842
|
||
|
|
|
||
|
|
--- a/src/base/PdfEncoding.cpp
|
||
|
|
+++ b/src/base/PdfEncoding.cpp
|
||
|
|
@@ -45,6 +45,7 @@
|
||
|
|
#include <stack>
|
||
|
|
#include <stdlib.h>
|
||
|
|
#include <string.h>
|
||
|
|
+#include <limits>
|
||
|
|
#include <sstream>
|
||
|
|
#include "PdfArray.h"
|
||
|
|
#include "doc/PdfDifferenceEncoding.h"
|
||
|
|
@@ -362,7 +363,9 @@
|
||
|
|
void PdfSimpleEncoding::InitEncodingTable()
|
||
|
|
{
|
||
|
|
Util::PdfMutexWrapper wrapper( *m_mutex );
|
||
|
|
- const long lTableLength = 0xffff;
|
||
|
|
+ // CVE-2017-7379 - previously lTableLength was 0xffff, but pdf_utf16be characters can be in range 0..0xffff so this
|
||
|
|
+ // caused out-by-one heap overflow when character 0xffff was encoded
|
||
|
|
+ const long lTableLength = std::numeric_limits<pdf_utf16be>::max() + 1;
|
||
|
|
const pdf_utf16be* cpUnicodeTable = this->GetToUnicodeTable();
|
||
|
|
|
||
|
|
if( !m_pEncodingTable ) // double check
|