diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 4ce6c00..8f470fb 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -1707,7 +1707,7 @@ int CCITTFaxStream::lookChar() { // 2-D encoding if (nextLine2D) { - for (i = 0; codingLine[i] < columns; ++i) { + for (i = 0; i < columns && codingLine[i] < columns; ++i) { refLine[i] = codingLine[i]; } refLine[i++] = columns; @@ -1723,7 +1723,7 @@ int CCITTFaxStream::lookChar() { // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible // exception at right edge: // refLine[b1i] = refLine[b1i+1] = columns is possible - while (codingLine[a0i] < columns) { + while (codingLine[a0i] < columns && !err) { code1 = getTwoDimCode(); switch (code1) { case twoDimPass: @@ -1757,6 +1757,12 @@ int CCITTFaxStream::lookChar() { } while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } break; case twoDimVertR3: @@ -1766,6 +1772,12 @@ int CCITTFaxStream::lookChar() { ++b1i; while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; @@ -1776,6 +1788,12 @@ int CCITTFaxStream::lookChar() { ++b1i; while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; @@ -1786,6 +1804,12 @@ int CCITTFaxStream::lookChar() { ++b1i; while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; @@ -1796,6 +1820,12 @@ int CCITTFaxStream::lookChar() { ++b1i; while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; @@ -1810,6 +1840,12 @@ int CCITTFaxStream::lookChar() { } while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; @@ -1824,6 +1860,12 @@ int CCITTFaxStream::lookChar() { } while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; @@ -1838,6 +1880,12 @@ int CCITTFaxStream::lookChar() { } while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; @@ -2021,6 +2069,12 @@ int CCITTFaxStream::lookChar() { outputBits = 0; if (codingLine[a0i] < columns) { ++a0i; + if (a0i > columns) { + error(errSyntaxError, getPos(), + "Bad bits {0:04x} in CCITTFax stream", bits); + err = gTrue; + break; + } outputBits = codingLine[a0i] - codingLine[a0i - 1]; } else if (bits > 0) { buf <<= bits;