Add bounds check in crypt, parser. Avoid division by zero.

2025-05-02 22:17:06 +08:00 · 2017-07-23 20:20:05 +00:00 · 2017-07-23 20:20:05 +00:00 · 7f83a4ea2f
commit 7f83a4ea2f
parent 3639b5c279
4 changed files with 45 additions and 2 deletions
--- a/pdf/core/crypt.go
+++ b/pdf/core/crypt.go
@ -1230,8 +1230,12 @@ func (this *PdfCrypt) Alg6(upass []byte) (bool, error) {
 	if this.R >= 3 {
 		// comparing on the first 16 bytes in the case of security
 		// handlers of revision 3 or greater),
-		uGen = uGen[0:16]
-		uDoc = uDoc[0:16]
+		if len(uGen) > 16 {
+			uGen = uGen[0:16]
+		}
+		if len(uDoc) > 16 {
+			uDoc = uDoc[0:16]
+		}
 	}
 	if uGen == uDoc {
 		this.EncryptionKey = key
--- a/pdf/core/encoding.go
+++ b/pdf/core/encoding.go
@ -253,6 +253,10 @@ func (this *FlateEncoder) DecodeStream(streamObj *PdfObjectStream) ([]byte, erro
 			common.Log.Trace("Colors: %d", this.Colors)

 			rowLength := int(this.Columns) * this.Colors
+			if rowLength < 1 {
+				// No data. Return empty set.
+				return []byte{}, nil
+			}
 			rows := len(outData) / rowLength
 			if len(outData)%rowLength != 0 {
 				common.Log.Debug("ERROR: TIFF encoding: Invalid row length...")
--- a/pdf/core/parser.go
+++ b/pdf/core/parser.go
@ -940,9 +940,27 @@ func (this *PdfParser) parseXrefStream(xstm *PdfObjectInteger) (*PdfObjectDictio
 	common.Log.Trace("Decoded stream length: %d", len(ds))
 	objIndex := 0
 	for i := 0; i < len(ds); i += deltab {
+		err := checkBounds(len(ds), i, i+s0)
+		if err != nil {
+			common.Log.Debug("Invalid slice range: %v", err)
+			return nil, err
+		}
 		p1 := ds[i : i+s0]
+
+		err = checkBounds(len(ds), i+s0, i+s1)
+		if err != nil {
+			common.Log.Debug("Invalid slice range: %v", err)
+			return nil, err
+		}
 		p2 := ds[i+s0 : i+s1]
+
+		err = checkBounds(len(ds), i+s1, i+s2)
+		if err != nil {
+			common.Log.Debug("Invalid slice range: %v", err)
+			return nil, err
+		}
 		p3 := ds[i+s1 : i+s2]
+
 		ftype := convertBytes(p1)
 		n2 := convertBytes(p2)
 		n3 := convertBytes(p3)
--- a/pdf/core/utils.go
+++ b/pdf/core/utils.go
@ -6,12 +6,29 @@
 package core

 import (
+	"errors"
 	"fmt"
 	"sort"

 	"github.com/unidoc/unidoc/common"
 )

+// Check slice range to make sure within bounds for accessing:
+//    slice[a:b] where sliceLen=len(slice).
+func checkBounds(sliceLen, a, b int) error {
+	if a < 0 || a > sliceLen {
+		return errors.New("Slice index a out of bounds")
+	}
+	if b < a {
+		return errors.New("Invalid slice index b < a")
+	}
+	if b > sliceLen {
+		return errors.New("Slice index b out of bounds")
+	}
+
+	return nil
+}
+
 // Inspect analyzes the document object structure.
 func (this *PdfParser) Inspect() (map[string]int, error) {
 	return this.inspect()