diff options
| author | Albert Astals Cid <aacid@kde.org> | 2020-04-08 23:52:43 +0200 |
|---|---|---|
| committer | Albert Astals Cid <tsdgeos@yahoo.es> | 2020-04-09 20:53:18 +0000 |
| commit | af1cb4cb719dcb94314bbefc78b59ac426b8fed2 (patch) | |
| tree | 7a326e8c55b78b2b73b59070a42b0f2478ba8d30 | |
| parent | 48735999ca27fca8f154aa15c078c4576ab64ae5 (diff) | |
Fix uninitialized memory read on malformed documents
| -rw-r--r-- | libspectre/ps.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/libspectre/ps.c b/libspectre/ps.c index 4374272..0883670 100644 --- a/libspectre/ps.c +++ b/libspectre/ps.c @@ -1050,15 +1050,17 @@ continuepage: /* Do nothing */ } else if (doc->pages[doc->numpages].orientation == NONE && iscomment(line+2, "PageOrientation:")) { - sscanf(line+length("%%PageOrientation:"), "%256s", text); - if (strcmp(text, "Portrait") == 0) { - doc->pages[doc->numpages].orientation = PORTRAIT; - } else if (strcmp(text, "Landscape") == 0) { - doc->pages[doc->numpages].orientation = LANDSCAPE; - } else if (strcmp(text, "Seascape") == 0) { - doc->pages[doc->numpages].orientation = SEASCAPE; - } else if (strcmp(text, "UpsideDown") == 0) { - doc->pages[doc->numpages].orientation = UPSIDEDOWN; + const int res = sscanf(line+length("%%PageOrientation:"), "%256s", text); + if (res != EOF) { + if (strcmp(text, "Portrait") == 0) { + doc->pages[doc->numpages].orientation = PORTRAIT; + } else if (strcmp(text, "Landscape") == 0) { + doc->pages[doc->numpages].orientation = LANDSCAPE; + } else if (strcmp(text, "Seascape") == 0) { + doc->pages[doc->numpages].orientation = SEASCAPE; + } else if (strcmp(text, "UpsideDown") == 0) { + doc->pages[doc->numpages].orientation = UPSIDEDOWN; + } } } else if (doc->pages[doc->numpages].media == NULL && iscomment(line+2, "PageMedia:")) { @@ -1086,8 +1088,8 @@ continuepage: PS_free(cp); } else if ((page_bb_set == NONE || page_bb_set == ATEND) && iscomment(line+2, "PageBoundingBox:")) { - sscanf(line+length("%%PageBoundingBox:"), "%256s", text); - if (strcmp(text, "(atend)") == 0 || strcmp(text, "atend") == 0) { + const int res = sscanf(line+length("%%PageBoundingBox:"), "%256s", text); + if ((res != EOF) && (strcmp(text, "(atend)") == 0 || strcmp(text, "atend") == 0)) { page_bb_set = ATEND; } else { if (scan_boundingbox(doc->pages[doc->numpages].boundingbox, |