Description: CVE-2017-7379
Acked-By: Markus Koschany <apo@debian.org>
Acked-By: Mattia Rizzolo <mattia@debian.org>
Last-Update: 2017-05-03
Bug-Debian: https://bugs.debian.org/859331
Origin: https://sourceforge.net/p/podofo/code/1842

--- a/src/base/PdfEncoding.cpp
+++ b/src/base/PdfEncoding.cpp
@@ -45,6 +45,7 @@
 #include <stack>
 #include <stdlib.h>
 #include <string.h>
+#include <limits>
 #include <sstream>
 #include "PdfArray.h"
 #include "doc/PdfDifferenceEncoding.h"
@@ -362,7 +363,9 @@
 void PdfSimpleEncoding::InitEncodingTable() 
 {
     Util::PdfMutexWrapper wrapper( *m_mutex );
-    const long         lTableLength     = 0xffff;
+    // CVE-2017-7379 - previously lTableLength was 0xffff, but pdf_utf16be characters can be in range 0..0xffff so this
+    // caused out-by-one heap overflow when character 0xffff was encoded
+    const long         lTableLength     = std::numeric_limits<pdf_utf16be>::max() + 1;
     const pdf_utf16be* cpUnicodeTable   = this->GetToUnicodeTable();
 
     if( !m_pEncodingTable ) // double check