Bug 707945: Check number of incremental sections stated in journal.

Previously this number was read without its values being boundary checked, causing a crash for out of bounds values. Thanks to Piotr Kajda for proposing this patch.
ArtifexSoftware · Sep 2, 2024 · 0991934 · 0991934
1 parent d418c97
commit 0991934
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/source/pdf/pdf-object.c b/source/pdf/pdf-object.c
@@ -1655,6 +1655,8 @@ void pdf_deserialise_journal(fz_context *ctx, pdf_document *doc, fz_stream *stm)
 		obj = pdf_parse_dict(ctx, doc, stm, &doc->lexbuf.base);
 
 		nis = pdf_dict_get_int(ctx, obj, PDF_NAME(NumSections));
+		if (nis < 0 || nis > doc->num_xref_sections)
+			fz_throw(ctx, FZ_ERROR_FORMAT, "Bad journal format");
 		pdf_fingerprint_file(ctx, doc, digest, nis);
 
 		file_size = pdf_dict_get_int(ctx, obj, PDF_NAME(FileSize));