From 970fb11a296b5bbdc5e8425851253d2c5913c45e Mon Sep 17 00:00:00 2001
From: Leon Bottou <leon@bottou.org>
Date: Tue, 26 Mar 2019 20:36:31 -0400
Subject: [PATCH] Fix bug#296
---
libdjvu/DjVmDir.cpp | 36 +++++++++++++++++++-----------------
1 file changed, 19 insertions(+), 17 deletions(-)
diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp
index a6a39e03..0a0fac6c 100644
--- a/libdjvu/DjVmDir.cpp
+++ b/libdjvu/DjVmDir.cpp
@@ -300,36 +300,44 @@ DjVmDir::decode(const GP<ByteStream> &gs
memcpy((char*) strings+strings_size, buffer, length);
}
DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n");
+ int strings_size=strings.size();
+ strings.resize(strings_size+3);
+ memset((char*) strings+strings_size, 0, 4);
- // Copy names into the files
+ // Copy names into the files
const char * ptr=strings;
for(pos=files_list;pos;++pos)
{
GP<File> file=files_list[pos];
-
+ if (ptr >= (const char*)strings + strings_size)
+ G_THROW( "DjVu document is corrupted (DjVmDir)" );
file->id=ptr;
ptr+=file->id.length()+1;
if (file->flags & File::HAS_NAME)
{
- file->name=ptr;
- ptr+=file->name.length()+1;
- } else
+ file->name=ptr;
+ ptr+=file->name.length()+1;
+ }
+ else
{
file->name=file->id;
}
if (file->flags & File::HAS_TITLE)
{
- file->title=ptr;
- ptr+=file->title.length()+1;
- } else
- file->title=file->id;
- /* msr debug: multipage file, file->title is null.
+ file->title=ptr;
+ ptr+=file->title.length()+1;
+ }
+ else
+ {
+ file->title=file->id;
+ }
+ /* msr debug: multipage file, file->title is null.
DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " <<
file->offset << ", " << file->size << ", " <<
file->is_page() << "\n"); */
}
- // Check that there is only one file with SHARED_ANNO flag on
+ // Check that there is only one file with SHARED_ANNO flag on
int shared_anno_cnt=0;
for(pos=files_list;pos;++pos)
{
