Fix bounds check issue in PDF parser

The bytes_remaining variable may be set negative by mistake, when really we just want to decrement it. This issue may result in a 1-byte over read but does not cause any crash. We determined that this issue is not a vulnerability. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58475
Cisco-Talos · Aug 10, 2023 · ba49cbf · ba49cbf
1 parent c961189
commit ba49cbf
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/libclamav/pdf.c b/libclamav/pdf.c
@@ -928,7 +928,7 @@ static size_t find_length(struct pdf_struct *pdf, struct pdf_obj *obj, const cha
 
     /* Step the index into the "/Length" string. */
     index++;
-    bytes_remaining -= index - obj_start;
+    bytes_remaining--;
 
     /* Find the start of the next direct or indirect object.
      * pdf_nextobject() assumes we started searching from within a previous object */