[Full-disclosure] SumatraPDF <= 0.9.3 Heap Overflow PoC

[c]

The overflow occurs at the following location:

mupdf/mupdf/pdf_function.c:1167

    obj = fz_dictgets(dict, "C0");
    if (fz_isarray(obj))
    {
        func->n = fz_arraylen(obj);
        for (i = 0; i < func->n; ++i)
            func->u.e.c0[i] = fz_toreal(fz_arrayget(obj, i));
    }

func->n is used without being checked first. There are a few integer
overflows elsewhere in the code as well.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: a.pdf
Type: application/pdf
Size: 11689 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20090424/1921dad2/attachment.pdf