Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: c (cc.cc)
Date: Fri Apr 24 2009 - 16:26:41 CDT
The overflow occurs at the following location:
obj = fz_dictgets(dict, "C0");
func->n = fz_arraylen(obj);
for (i = 0; i < func->n; ++i)
func->u.e.c0[i] = fz_toreal(fz_arrayget(obj, i));
func->n is used without being checked first. There are a few integer
overflows elsewhere in the code as well.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- application/pdf attachment: a.pdf