[Poppler-bugs] [Bug 100056] pdftocairo crashes on converting big images in PDFs
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Jun 14 22:24:04 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=100056
--- Comment #2 from Francisco <foca at salesforce.com> ---
This bug is in the cairo backend component of poppler, in
CairoOutputDev.cc:3090.
3087 buffer = cairo_image_surface_get_data (image);
3088 stride = cairo_image_surface_get_stride (image);
3089 for (int y = 0; y < height; y++) {
3090 uint32_t *dest = (uint32_t *) (buffer + y * stride);
3091 getRow(y, dest);
3092 }
The vulnerability is an integer overflow with the operation y * stride is
calculated. y and stride are signed int variables. So the y * stride can be
overflown in certain situations. When this happens the result of y * stride is
a negative number that gets added (subtracted) to buffer.
The result is the variable data pointing to an invalid area and the program
crashing.
A possible fix is to replace:
3078 int stride;
3089 for (int y = 0; y < height; y++) {
for:
3078 unsigned int stride;
3089 for (unsigned int y = 0; y < height; y++) {
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170614/e374b93c/attachment-0001.html>
More information about the Poppler-bugs
mailing list