From cd0af5ba3ceee50b1c8a287149b48b2f4cb7ce0b Mon Sep 17 00:00:00 2001
From: yzrh <yzrh@noema.org>
Date: Thu, 29 Dec 2022 03:58:22 +0000
Subject: Fix buffer overflow when object size is less than 8 bytes.

Signed-off-by: yzrh <yzrh@noema.org>
---
 src/pdf_parser.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'src/pdf_parser.c')

diff --git a/src/pdf_parser.c b/src/pdf_parser.c
index 3b29c52..b4470f9 100644
--- a/src/pdf_parser.c
+++ b/src/pdf_parser.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2021, yzrh <yzrh@noema.org>
+ * Copyright (c) 2020-2022, yzrh <yzrh@noema.org>
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -126,6 +126,7 @@ pdf_load(pdf_object_t **pdf, FILE **fp, int size_buf)
 
 	pdf_object_t *ptr = (*pdf)->next;
 
+	char str[8];
 	char *buf;
 	char *head;
 	char *tail;
@@ -140,11 +141,11 @@ pdf_load(pdf_object_t **pdf, FILE **fp, int size_buf)
 		memset(buf, 0, ptr->size);
 
 		fseek(*fp, ptr->address - 12, SEEK_SET);
-		fread(buf, 8, 1, *fp);
+		fread(str, 8, 1, *fp);
 
 		for (int i = 0; i < 8; i++) {
-			if (buf[i] >= '0' && buf[i] <= '9') {
-				ptr->id = atoi(buf + i);
+			if (str[i] >= '0' && str[i] <= '9') {
+				ptr->id = atoi(str + i);
 				break;
 			}
 		}
-- 
cgit v1.2.3