#263: large allocation size following large columns value. limiting columns (and any integer) to max and mix pdf allowed value for integer to avoid

Author: galkahana

PDFWriter/EncryptionHelper.cpp

@@ -48,6 +48,12 @@ EncryptionHelper::EncryptionHelper(void)
 	mXcryptAuthentication = NULL;
 	mXcryptStreams = NULL;
 	mXcryptStrings = NULL;
+
+	mV = 0;
+	mLength = 0;
+	mRevision = 0;
+	mP = 0;
+	mEncryptMetaData = false;
 }
 
 EncryptionHelper::~EncryptionHelper(void)

PDFWriter/IOBasicTypes.h

@@ -28,4 +28,6 @@ namespace IOBasicTypes
 	typedef unsigned char Byte;
     typedef size_t LongBufferSizeType;
 	typedef long long LongFilePositionType;
-}
+}
+
+

PDFWriter/InputPredictorTIFFSubStream.cpp

@@ -98,7 +98,8 @@ void InputPredictorTIFFSubStream::Assign(IByteReader* inSourceStream,
 	mColumns = inColumns;
 
 	delete mRowBuffer;
-	mRowBuffer = new Byte[(inColumns*inColors*inBitsPerComponent)/8];
+	IOBasicTypes::LongBufferSizeType bufferSize = (inColumns*inColors*inBitsPerComponent)/8;
+	mRowBuffer = new Byte[bufferSize];
 
 	mReadColorsCount = inColumns * inColors;
 	mReadColors = new unsigned short[mReadColorsCount];

PDFWriter/PDFObjectParser.cpp

@@ -45,6 +45,7 @@
 
 using namespace PDFHummus;
 
+
 PDFObjectParser::PDFObjectParser(void)
 {
 	mParserExtender = NULL;
@@ -554,13 +555,27 @@ bool PDFObjectParser::IsNumber(const std::string& inToken)
 
 typedef BoxingBaseWithRW<long long> LongLong;
 
+// maximum allowed PDF int value = 2^31 − 1.
+#define MAX_PDF_INT 2147483647L 
+// minimum allowed PDF int value = -2^31
+#define MIN_PDF_INT ((-MAX_PDF_INT)-1) 
+
 PDFObject* PDFObjectParser::ParseNumber(const std::string& inToken)
 {
 	// once we know this is a number, then parsing is easy. just determine if it's a real or integer, so as to separate classes for better accuracy
-	if(inToken.find(scDot) != inToken.npos)
+	if(inToken.find(scDot) != inToken.npos) {
 		return new PDFReal(Double(inToken));
-	else
-		return new PDFInteger(LongLong(inToken));
+	} else {
+		long long integerValue = LongLong(inToken);
+
+		// validate int value according to PDF limits. ignore if outside of range
+		if((integerValue > MAX_PDF_INT) || (integerValue < MIN_PDF_INT)) {
+			TRACE_LOG3("PDFObjectParser::ParseNumber, parsed integer %lld is outside of the allowed range for PDF integers - %ld to %ld", integerValue, MIN_PDF_INT, MAX_PDF_INT);
+			return NULL;
+		}
+
+		return new PDFInteger(integerValue);
+	}
 }
 
 static const std::string scLeftSquare = "[";

PDFWriter/PDFParser.cpp

@@ -2006,6 +2006,20 @@ EStatusCodeAndIByteReader PDFParser::WrapWithPredictorStream(IByteReader* inputS
 																(IOBasicTypes::LongBufferSizeType)bitsPerComponent->GetValue() :
 																8;
 
+			// validate bits per component
+			if(
+				bitsPerComponentValue != 1 &&
+				bitsPerComponentValue != 2 &&
+				bitsPerComponentValue != 4 &&
+				bitsPerComponentValue != 8 &&
+				bitsPerComponentValue != 16
+			) {
+				TRACE_LOG1("PDFParser::WrapWithPredictorStream, invalid BitsPerComponent value: %ld. allowed values: 1,2,4,8,16", bitsPerComponentValue);
+				status = PDFHummus::eFailure;
+				break;
+			}
+
+
 			switch(predictor->GetValue())
 			{
 				case 2: