dany/pdfio
1
0
Fork 0
mirror of https://github.com/michaelrsweet/pdfio.git synced 2024-12-26 13:28:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix potential denial-of-service in flate stream code.

Browse Source
This commit is contained in:
Michael R Sweet 2023-03-20 09:27:19 -04:00
parent e138232a93
commit 97d4955666
No known key found for this signature in database
GPG Key ID: BE67C75EC81F3244
2 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES.md
View File

@ -2,9 +2,10 @@ Changes in PDFio
================ ================
v1.1.1 (Month DD, YYYY) v1.1.1 (March 20, 2023)
----------------------- -----------------------
- CVE-2023-NNNNN: Fixed a potential denial-of-service with corrupt PDF files.
- Fixed a build issue. - Fixed a build issue.

19
pdfio-stream.c
View File

@ -1008,6 +1008,7 @@ stream_read(pdfio_stream_t *st, // I - Stream
size_t bytes) // I - Number of bytes to read size_t bytes) // I - Number of bytes to read
{ {
ssize_t rbytes; // Bytes read ssize_t rbytes; // Bytes read
uInt avail_in, avail_out; // Previous flate values
if (st->filter == PDFIO_FILTER_NONE) if (st->filter == PDFIO_FILTER_NONE)
@ -1060,11 +1061,19 @@ stream_read(pdfio_stream_t *st, // I - Stream
st->flate.next_out = (Bytef *)buffer; st->flate.next_out = (Bytef *)buffer;
st->flate.avail_out = (uInt)bytes; st->flate.avail_out = (uInt)bytes;
avail_in = st->flate.avail_in;
avail_out = st->flate.avail_out;
if ((status = inflate(&(st->flate), Z_NO_FLUSH)) < Z_OK) if ((status = inflate(&(st->flate), Z_NO_FLUSH)) < Z_OK)
{ {
_pdfioFileError(st->pdf, "Unable to decompress stream data: %s", zstrerror(status)); _pdfioFileError(st->pdf, "Unable to decompress stream data: %s", zstrerror(status));
return (-1); return (-1);
} }
else if (avail_in == st->flate.avail_in && avail_out == st->flate.avail_out)
{
_pdfioFileError(st->pdf, "Corrupt stream data.");
return (-1);
}
return (st->flate.next_out - (Bytef *)buffer); return (st->flate.next_out - (Bytef *)buffer);
} }
@ -1113,12 +1122,15 @@ stream_read(pdfio_stream_t *st, // I - Stream
st->flate.avail_in = (uInt)rbytes; st->flate.avail_in = (uInt)rbytes;
} }
avail_in = st->flate.avail_in;
avail_out = st->flate.avail_out;
if ((status = inflate(&(st->flate), Z_NO_FLUSH)) < Z_OK) if ((status = inflate(&(st->flate), Z_NO_FLUSH)) < Z_OK)
{ {
_pdfioFileError(st->pdf, "Unable to decompress stream data: %s", zstrerror(status)); _pdfioFileError(st->pdf, "Unable to decompress stream data: %s", zstrerror(status));
return (-1); return (-1);
} }
else if (status == Z_STREAM_END) else if (status == Z_STREAM_END || (avail_in == st->flate.avail_in && avail_out == st->flate.avail_out))
break; break;
} }
@ -1180,12 +1192,15 @@ stream_read(pdfio_stream_t *st, // I - Stream
st->flate.avail_in = (uInt)rbytes; st->flate.avail_in = (uInt)rbytes;
} }
avail_in = st->flate.avail_in;
avail_out = st->flate.avail_out;
if ((status = inflate(&(st->flate), Z_NO_FLUSH)) < Z_OK) if ((status = inflate(&(st->flate), Z_NO_FLUSH)) < Z_OK)
{ {
_pdfioFileError(st->pdf, "Unable to decompress stream data: %s", zstrerror(status)); _pdfioFileError(st->pdf, "Unable to decompress stream data: %s", zstrerror(status));
return (-1); return (-1);
} }
else if (status == Z_STREAM_END) else if (status == Z_STREAM_END || (avail_in == st->flate.avail_in && avail_out == st->flate.avail_out))
break; break;
} }