Blame SOURCES/djvulibre-3.5.27-buffer-overflow.patch
|
rdobuilder |
3550ff |
--- djvulibre-3.5.27/libdjvu/DjVmDir.cpp
|
|
rdobuilder |
3550ff |
+++ djvulibre-3.5.27/libdjvu/DjVmDir.cpp
|
|
rdobuilder |
3550ff |
@@ -300,6 +300,9 @@ DjVmDir::decode(const GP<ByteStream> &gs
|
|
rdobuilder |
3550ff |
memcpy((char*) strings+strings_size, buffer, length);
|
|
rdobuilder |
3550ff |
}
|
|
rdobuilder |
3550ff |
DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n");
|
|
rdobuilder |
3550ff |
+ int strings_size=strings.size();
|
|
rdobuilder |
3550ff |
+ strings.resize(strings_size+3);
|
|
rdobuilder |
3550ff |
+ memset((char*) strings+strings_size, 0, 4);
|
|
rdobuilder |
3550ff |
|
|
rdobuilder |
3550ff |
// Copy names into the files
|
|
rdobuilder |
3550ff |
const char * ptr=strings;
|
|
rdobuilder |
3550ff |
@@ -307,6 +310,8 @@ DjVmDir::decode(const GP<ByteStream> &gs
|
|
rdobuilder |
3550ff |
{
|
|
rdobuilder |
3550ff |
GP<File> file=files_list[pos];
|
|
rdobuilder |
3550ff |
|
|
rdobuilder |
3550ff |
+ if (ptr >= (const char*)strings + strings_size)
|
|
rdobuilder |
3550ff |
+ G_THROW( "DjVu document is corrupted (DjVmDir)" );
|
|
rdobuilder |
3550ff |
file->id=ptr;
|
|
rdobuilder |
3550ff |
ptr+=file->id.length()+1;
|
|
rdobuilder |
3550ff |
if (file->flags & File::HAS_NAME)
|