36 lines
1.1 KiB
Diff
36 lines
1.1 KiB
Diff
From 970fb11a296b5bbdc5e8425851253d2c5913c45e Mon Sep 17 00:00:00 2001
|
|
From: Leon Bottou <leon@bottou.org>
|
|
Date: Tue, 26 Mar 2019 20:36:31 -0400
|
|
Subject: [PATCH] Fix bug#296
|
|
|
|
---
|
|
libdjvu/DjVmDir.cpp | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp
|
|
index 153e3c7..5834da6 100644
|
|
--- a/libdjvu/DjVmDir.cpp
|
|
+++ b/libdjvu/DjVmDir.cpp
|
|
@@ -300,6 +300,9 @@ DjVmDir::decode(const GP<ByteStream> &gstr)
|
|
memcpy((char*) strings+strings_size, buffer, length);
|
|
}
|
|
DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n");
|
|
+ int strings_size=strings.size();
|
|
+ strings.resize(strings_size+3);
|
|
+ memset((char*) strings+strings_size, 0, 4);
|
|
|
|
// Copy names into the files
|
|
const char * ptr=strings;
|
|
@@ -307,6 +310,8 @@ DjVmDir::decode(const GP<ByteStream> &gstr)
|
|
{
|
|
GP<File> file=files_list[pos];
|
|
|
|
+ if (ptr >= (const char*)strings + strings_size)
|
|
+ G_THROW( "DjVu document is corrupted (DjVmDir)" );
|
|
file->id=ptr;
|
|
ptr+=file->id.length()+1;
|
|
if (file->flags & File::HAS_NAME)
|
|
--
|
|
2.23.0
|
|
|