[Poppler-bugs] [Bug 100056] pdftocairo crashes on converting big images in PDFs

Wed Jun 14 22:24:04 UTC 2017

https://bugs.freedesktop.org/show_bug.cgi?id=100056

--- Comment #2 from Francisco <foca at salesforce.com> ---
This bug is in the cairo backend component of poppler, in
CairoOutputDev.cc:3090.

3087       buffer = cairo_image_surface_get_data (image);
3088       stride = cairo_image_surface_get_stride (image);
3089       for (int y = 0; y < height; y++) {
3090         uint32_t *dest = (uint32_t *) (buffer + y * stride);
3091         getRow(y, dest);
3092       }

The vulnerability is an integer overflow with the operation y * stride is
calculated. y and stride are signed int variables. So the y * stride can be
overflown in certain situations. When this happens the result of y * stride is
a negative number that gets added (subtracted) to buffer. 

The result is the variable data pointing to an invalid area and the program
crashing.

A possible fix is to replace:
3078          int stride;
3089          for (int y = 0; y < height; y++) {
for:
3078          unsigned int stride;
3089          for (unsigned int y = 0; y < height; y++) {

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170614/e374b93c/attachment-0001.html>