Hi
This code from PdfString::Write has a buffer overflow – it checks
buffer.GetSize() > 0 then sets nInputBufferLen=GetSize()-2 which is passed to
new[nInputBufferLen] and memcpy
if( pEncrypt && m_buffer.GetSize() && IsValid() )
{
pdf_long nInputBufferLen = m_buffer.GetSize() - 2; // Cut off the trailing pair
of zeros
pdf_long nUnicodeMarkerOffet = sizeof( PdfString::s_pszUnicodeMarker );
if( m_bUnicode )
nInputBufferLen += nUnicodeMarkerOffet;
char * pInputBuffer = new char[nInputBufferLen];
if( m_bUnicode )
{
memcpy(pInputBuffer, PdfString::s_pszUnicodeMarker, nUnicodeMarkerOffet);
memcpy(&pInputBuffer[nUnicodeMarkerOffet], m_buffer.GetBuffer(),
nInputBufferLen - nUnicodeMarkerOffet);
}
else
memcpy(pInputBuffer, m_buffer.GetBuffer(), nInputBufferLen);
}
If buffer.GetSize() == 1 and m_bUnicode is false then
nInputBufferLen = -1;
// bad_alloc or undefined behaviour when -1 sized array allocated
char* pInputBuffer = new char[-1];
memcpy( pInputBuffer, m_buffer.GetBuffer(), -1 );
If buffer.GetSize() == 1 and m_bUnicode is true then
nInputBufferLen = 1;
char* pInputBuffer = new char[1];
// 2 bytes copied into 1 byte buffer
memcpy( pInputBuffer, m_buffer.GetBuffer(), 2 );
If buffer.GetSize() == 2 and m_bUnicode is false then
nInputBufferLen = 0;
char* pInputBuffer = new char[0];
// using pInputBuffer with size 0 is undefined behaviour
https://stackoverflow.com/a/1087066
memcpy( pInputBuffer, m_buffer.GetBuffer(), 0 );
If buffer.GetSize() == 2 and m_bUnicode is true then
nInputBufferLen = 2;
char* pInputBuffer = new char[2];
memcpy( pInputBuffer, m_buffer.GetBuffer(), 2 );
// first parameter is outside buffer bounds and C standard says it must
still be a valid pointer for a zero byte copy
// https://stackoverflow.com/a/3751937
memcpy(&pInputBuffer[2], m_buffer.GetBuffer(), 2 - 2);
Best Regards
Mark
--
Mark Rogers - mark.rog...@powermapper.com<mailto:mark.rog...@powermapper.com>
PowerMapper Software Ltd - www.powermapper.com
Registered in Scotland No 362274 Quartermile 2 Edinburgh EH3 9GL
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users