[Poppler-bugs] [Bug 101526] New: Division by zero in Stream.cc:471
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Tue Jun 20 17:45:11 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=101526
Bug ID: 101526
Summary: Division by zero in Stream.cc:471
Product: poppler
Version: unspecified
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: general
Assignee: poppler-bugs at lists.freedesktop.org
Reporter: foca at salesforce.com
Created attachment 132096
--> https://bugs.freedesktop.org/attachment.cgi?id=132096&action=edit
Proof of concept
There is a division by zero in Stream.cc:471. In the ImageStream constructor,
INT_MAX is divided by nComps, parsing the attached PoC.pdf case nComps has the
value 0. The division by 0 caused a SIGFPE crash
461 ImageStream::ImageStream(Stream *strA, int widthA, int nCompsA, int
nBitsA) {
462 int imgLineSize;
463
464 str = strA;
465 width = widthA;
466 nComps = nCompsA;
467 nBits = nBitsA;
468
469 nVals = width * nComps;
470 inputLineSize = (nVals * nBits + 7) >> 3;
471 if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || width > INT_MAX /
nComps) {
472 inputLineSize = -1;
473 }
A possible solution is to check for this case:
471 if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || nComps ==0 || width >
INT_MAX / nComps) {
A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf
This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170620/defd86c1/attachment.html>
More information about the Poppler-bugs
mailing list