Add more bounds checking

src/antiword.h

@@ -253,7 +253,7 @@
 
 #define BUF_AUC 1
 extern void setBufferSize(ULONG size);
-extern BOOL isOutOfBounds(ULONG offset);
+extern BOOL isOutOfBounds(ULONG offset, size_t size);
 
 /* Prototypes */
 

src/pdf.c

@@ -514,6 +514,7 @@ vMove2NextPage(diagram_type *pDiag, BOOL bNewSection)
 	vAddHeader(pDiag);
 } /* end of vMove2NextPage */
 
+#define VMOVETO_MAX_DEPTH 300
 /*
  * vMoveTo - move to the specified X,Y coordinates
  *
@@ -527,7 +528,24 @@ vMoveTo(diagram_type *pDiag, long lLastVerticalMovement)
 	fail(pDiag->pOutFile == NULL);
 
 	if (pDiag->lYtop <= lFooterHeight + PS_BOTTOM_MARGIN && !bInFtrSpace) {
-		vMove2NextPage(pDiag, FALSE);
+
+        // NOTE: SIST2: only output the first page
+        vAddFooter(pDiag);
+        vEndPageObject(pDiag->pOutFile);
+
+        iObjectNumberCurr++;
+        vSetLocation(iObjectNumberCurr);
+        vFillNextPageObject();
+        vFPprintf(pDiag->pOutFile, "%d 0 obj\n", iObjectNumberCurr);
+        vFPprintf(pDiag->pOutFile, "<<\n");
+        vFPprintf(pDiag->pOutFile, "/Type /Page\n");
+        vFPprintf(pDiag->pOutFile, "/Parent 3 0 R\n");
+        vFPprintf(pDiag->pOutFile, "/Resources 17 0 R\n");
+        vFPprintf(pDiag->pOutFile, "/Contents %d 0 R\n", iObjectNumberCurr + 1);
+        vFPprintf(pDiag->pOutFile, ">>\n");
+        vFPprintf(pDiag->pOutFile, "endobj\n");
+        // ^^^
+
 		/* Repeat the last vertical movement on the new page */
 		pDiag->lYtop -= lLastVerticalMovement;
 	}
@@ -978,6 +996,7 @@ static void
 vPrintPDF(FILE *pFile, const char *szString, size_t tStringLength,
 	USHORT usFontstyle)
 {
+
 	const UCHAR	*aucBytes;
 	double	dMove;
 	size_t	tCount;

src/prop8.c

@@ -22,23 +22,30 @@
  * iGet8InfoLength - the length of the information for Word 8/9/10/11 files
  */
 static int
-iGet8InfoLength(int iByteNbr, const UCHAR *aucGrpprl)
-{
+iGet8InfoLength(int iByteNbr, const UCHAR *aucGrpprl) {
     int iTmp, iDel, iAdd;
     USHORT usOpCode;
 
     usOpCode = usGetWord(iByteNbr, aucGrpprl);
 
     switch (usOpCode & 0xe000) {
-	case 0x0000: case 0x2000:
+        case 0x0000:
+        case 0x2000:
             return 3;
-	case 0x4000: case 0x8000: case 0xa000:
+        case 0x4000:
+        case 0x8000:
+        case 0xa000:
             return 4;
         case 0xe000:
             return 5;
         case 0x6000:
             return 6;
         case 0xc000:
+            // HOTFIX for buffer overflow (fuzzing)
+            if (iByteNbr + 2 >= sizeof(section_block_type) - 1) {
+                return 1;
+            }
+
             iTmp = (int) ucGetByte(iByteNbr + 2, aucGrpprl);
             if (usOpCode == 0xc615 && iTmp == 255) {
                 iDel = (int) ucGetByte(iByteNbr + 3, aucGrpprl);
@@ -63,8 +70,7 @@ static UCHAR *
 aucFillInfoBuffer(FILE *pFile, const pps_type *pTable,
                   const ULONG *aulBBD, size_t tBBDLen,
                   const ULONG *aulSBD, size_t tSBDLen,
-	ULONG ulBeginInfo, size_t tInfoLen)
-{
+                  ULONG ulBeginInfo, size_t tInfoLen) {
     const ULONG *aulBlockDepot;
     UCHAR *aucBuffer;
     size_t tBlockDepotLen, tBlockSize;
@@ -108,8 +114,7 @@ void
 vGet8DopInfo(FILE *pFile, const pps_type *pTable,
              const ULONG *aulBBD, size_t tBBDLen,
              const ULONG *aulSBD, size_t tSBDLen,
-	const UCHAR *aucHeader)
-{
+             const UCHAR *aucHeader) {
     document_block_type tDocument;
     UCHAR *aucBuffer;
     ULONG ulBeginDocpInfo, ulTmp;
@@ -153,8 +158,7 @@ vGet8DopInfo(FILE *pFile, const pps_type *pTable,
  */
 static void
 vGet8SectionInfo(const UCHAR *aucGrpprl, size_t tBytes,
-		section_block_type *pSection)
-{
+                 section_block_type *pSection) {
     UINT uiIndex;
     int iFodoOff, iInfoLen, iSize, iTmp;
     USHORT usCcol;
@@ -220,8 +224,7 @@ void
 vGet8SepInfo(FILE *pFile, const pps_info_type *pPPS,
              const ULONG *aulBBD, size_t tBBDLen,
              const ULONG *aulSBD, size_t tSBDLen,
-	const UCHAR *aucHeader)
-{
+             const UCHAR *aucHeader) {
     section_block_type tSection;
     ULONG *aulSectPage, *aulCharPos;
     UCHAR *aucBuffer, *aucFpage;
@@ -313,8 +316,7 @@ void
 vGet8HdrFtrInfo(FILE *pFile, const pps_type *pTable,
                 const ULONG *aulBBD, size_t tBBDLen,
                 const ULONG *aulSBD, size_t tSBDLen,
-	const UCHAR *aucHeader)
-{
+                const UCHAR *aucHeader) {
     ULONG *aulCharPos;
     UCHAR *aucBuffer;
     ULONG ulHdrFtrOffset, ulBeginHdrFtrInfo;
@@ -363,8 +365,7 @@ vGet8HdrFtrInfo(FILE *pFile, const pps_type *pTable,
  */
 row_info_enum
 eGet8RowInfo(int iFodo,
-	const UCHAR *aucGrpprl, int iBytes, row_block_type *pRow)
-{
+             const UCHAR *aucGrpprl, int iBytes, row_block_type *pRow) {
     int iFodoOff, iInfoLen;
     int iIndex, iSize, iCol;
     int iPosCurr, iPosPrev;
@@ -387,6 +388,12 @@ eGet8RowInfo(int iFodo,
     bFoundd608 = FALSE;
     while (iBytes >= iFodoOff + 2) {
         iInfoLen = 0;
+
+        // HOTFIX for buffer overflow (fuzzing)
+        if (iFodo + iFodoOff >= BIG_BLOCK_SIZE - 4) {
+            break;
+        }
+
         switch (usGetWord(iFodo + iFodoOff, aucGrpprl)) {
             case 0x2416:    /* fInTable */
                 if (odd(ucGetByte(iFodo + iFodoOff + 2, aucGrpprl))) {
@@ -528,8 +535,7 @@ eGet8RowInfo(int iFodo,
  */
 void
 vGet8StyleInfo(int iFodo,
-	const UCHAR *aucGrpprl, int iBytes, style_block_type *pStyle)
-{
+               const UCHAR *aucGrpprl, int iBytes, style_block_type *pStyle) {
     list_block_type tList6;
     const list_block_type *pList;
     int iFodoOff, iInfoLen;
@@ -547,6 +553,12 @@ vGet8StyleInfo(int iFodo,
     iFodoOff = 0;
     while (iBytes >= iFodoOff + 2) {
         iInfoLen = 0;
+
+        // HOTFIX for buffer overflow (fuzzing)
+        if (iFodo + iFodoOff >= BIG_BLOCK_SIZE - 4) {
+            break;
+        }
+
         usOpCode = usGetWord(iFodo + iFodoOff, aucGrpprl);
         switch (usOpCode) {
             case 0x2403:    /* jc */
@@ -689,8 +701,7 @@ vGet8StyleInfo(int iFodo,
  * Returns the value when found, otherwise 0
  */
 static short
-sGetLeftIndent(const UCHAR *aucGrpprl, size_t tBytes)
-{
+sGetLeftIndent(const UCHAR *aucGrpprl, size_t tBytes) {
     int iOffset, iInfoLen;
     USHORT usOpCode, usTmp;
 
@@ -720,8 +731,7 @@ void
 vGet8LstInfo(FILE *pFile, const pps_info_type *pPPS,
              const ULONG *aulBBD, size_t tBBDLen,
              const ULONG *aulSBD, size_t tSBDLen,
-	const UCHAR *aucHeader)
-{
+             const UCHAR *aucHeader) {
     list_block_type tList;
     const ULONG *aulBlockDepot;
     UCHAR *aucLfoInfo, *aucLstfInfo, *aucPapx, *aucXString;
@@ -937,8 +947,7 @@ void
 vGet8PapInfo(FILE *pFile, const pps_info_type *pPPS,
              const ULONG *aulBBD, size_t tBBDLen,
              const ULONG *aulSBD, size_t tSBDLen,
-	const UCHAR *aucHeader)
-{
+             const UCHAR *aucHeader) {
     row_block_type tRow;
     style_block_type tStyle;
     ULONG *aulParfPage;
@@ -999,6 +1008,12 @@ vGet8PapInfo(FILE *pFile, const pps_info_type *pPPS,
         NO_DBG_DEC(iRun);
         for (iIndex2 = 0; iIndex2 < iRun; iIndex2++) {
             NO_DBG_HEX(ulGetLong(iIndex2 * 4, aucFpage));
+
+            // HOTFIX for buffer overflow (fuzzing)
+            if ((iRun + 1) * 4 + iIndex2 * 13 >= BIG_BLOCK_SIZE - 1) {
+                break;
+            }
+
             iFodo = 2 * (int) ucGetByte(
                     (iRun + 1) * 4 + iIndex2 * 13, aucFpage);
             if (iFodo <= 0) {
@@ -1011,6 +1026,11 @@ vGet8PapInfo(FILE *pFile, const pps_info_type *pPPS,
                 iLen = 2 * (int) ucGetByte(iFodo, aucFpage);
             }
 
+            // HOTFIX for buffer overflow (fuzzing)
+            if (iFodo + 1 >= BIG_BLOCK_SIZE - sizeof(short)) {
+                break;
+            }
+
             usIstd = usGetWord(iFodo + 1, aucFpage);
             vFillStyleFromStylesheet(usIstd, &tStyle);
             vGet8StyleInfo(iFodo, aucFpage + 3, iLen - 3, &tStyle);
@@ -1067,8 +1087,7 @@ vGet8PapInfo(FILE *pFile, const pps_info_type *pPPS,
  */
 void
 vGet8FontInfo(int iFodo, USHORT usIstd,
-	const UCHAR *aucGrpprl, int iBytes, font_block_type *pFont)
-{
+              const UCHAR *aucGrpprl, int iBytes, font_block_type *pFont) {
     long lTmp;
     int iFodoOff, iInfoLen;
     USHORT usFtc0, usFtc1, usFtc2, usTmp;
@@ -1348,8 +1367,7 @@ vGet8FontInfo(int iFodo, USHORT usIstd,
  */
 static BOOL
 bGet8PicInfo(int iFodo,
-	const UCHAR *aucGrpprl, int iBytes, picture_block_type *pPicture)
-{
+             const UCHAR *aucGrpprl, int iBytes, picture_block_type *pPicture) {
     ULONG ulTmp;
     int iFodoOff, iInfoLen;
     BOOL bFound;
@@ -1405,8 +1423,7 @@ void
 vGet8ChrInfo(FILE *pFile, const pps_info_type *pPPS,
              const ULONG *aulBBD, size_t tBBDLen,
              const ULONG *aulSBD, size_t tSBDLen,
-	const UCHAR *aucHeader)
-{
+             const UCHAR *aucHeader) {
     font_block_type tFont;
     picture_block_type tPicture;
     ULONG *aulCharPage;

src/propmod.c

@@ -63,7 +63,7 @@ vAdd2PropModList(const UCHAR *aucPropMod)
 	NO_DBG_DEC(tNextFree);
 
 	tLen = 2 + (size_t)usGetWord(0, aucPropMod);
-	if (isOutOfBounds(tLen)) {
+	if (isOutOfBounds(tLen, sizeof(short))) {
 	    return;
 	}
 	NO_DBG_HEX(tLen);

src/sist2_hotfix.c

@@ -2,8 +2,8 @@
 
 static __thread ULONG buffer;
 
-BOOL isOutOfBounds(ULONG offset) {
-    return offset > buffer;
+BOOL isOutOfBounds(ULONG offset, size_t size) {
+    return offset >= buffer - size;
 }
 
 void setBufferSize(ULONG size) {

src/summary.c

@@ -220,7 +220,7 @@ vAnalyseSummaryInfo(const UCHAR *aucBuffer)
 		ulOffset = ulGetLong(12 + tIndex * 8, aucBuffer);
 		NO_DBG_DEC(tPropID);
 		NO_DBG_HEX(ulOffset);
-		if (isOutOfBounds(ulOffset)) {
+		if (isOutOfBounds(ulOffset, sizeof(long))) {
 		    return FALSE;
 		}
 		tPropType = (size_t)ulGetLong(ulOffset, aucBuffer);
@@ -280,7 +280,7 @@ vAnalyseDocumentSummaryInfo(const UCHAR *aucBuffer)
 		ulOffset = ulGetLong(12 + tIndex * 8, aucBuffer);
 		NO_DBG_DEC(tPropID);
 		NO_DBG_HEX(ulOffset);
-		if (isOutOfBounds(ulOffset)) {
+		if (isOutOfBounds(ulOffset, sizeof(long))) {
 		    return;
 		}
 		tPropType = (size_t)ulGetLong(ulOffset, aucBuffer);