2
1
mirror of https://github.com/qpdf/qpdf.git synced 2024-10-31 19:02:30 +00:00

Security: keep cur_byte pointing into bytes array

This commit is contained in:
Jay Berkenbilt 2013-10-05 05:48:56 -04:00
parent b9fe85be28
commit c2e91d8ec3
2 changed files with 9 additions and 2 deletions

View File

@ -1,3 +1,10 @@
2013-10-05 Jay Berkenbilt <ejb@ql.org>
* Security fix: in QUtil::toUTF8, change bounds checking to avoid
having a pointer point temporarily outside the bounds of an
array. Some compiler optimizations could have made the original
code unsafe.
2013-07-10 Jay Berkenbilt <ejb@ql.org>
* 5.0.0: release

View File

@ -360,11 +360,11 @@ QUtil::toUTF8(unsigned long uval)
// Maximum that will fit in high byte now shrinks by one bit
maxval >>= 1;
// Slide to the left one byte
--cur_byte;
if (cur_byte < bytes)
if (cur_byte <= bytes)
{
throw std::logic_error("QUtil::toUTF8: overflow error");
}
--cur_byte;
}
// If maxval is k bits long, the high (7 - k) bits of the
// resulting byte must be high.