[Poppler-bugs] [Bug 101526] New: Division by zero in Stream.cc:471

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Jun 20 17:45:11 UTC 2017


https://bugs.freedesktop.org/show_bug.cgi?id=101526

            Bug ID: 101526
           Summary: Division by zero in Stream.cc:471
           Product: poppler
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: poppler-bugs at lists.freedesktop.org
          Reporter: foca at salesforce.com

Created attachment 132096
  --> https://bugs.freedesktop.org/attachment.cgi?id=132096&action=edit
Proof of concept

There is a division by zero in Stream.cc:471. In the ImageStream constructor,
INT_MAX is divided by nComps, parsing the attached PoC.pdf case nComps has the
value 0. The division by 0 caused a SIGFPE crash

 461 ImageStream::ImageStream(Stream *strA, int widthA, int nCompsA, int
nBitsA) {
 462   int imgLineSize;
 463 
 464   str = strA;
 465   width = widthA;
 466   nComps = nCompsA;
 467   nBits = nBitsA;
 468 
 469   nVals = width * nComps;
 470   inputLineSize = (nVals * nBits + 7) >> 3;
 471   if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || width > INT_MAX /
nComps) {
 472     inputLineSize = -1;
 473   }

A possible solution is to check for this case:
 471   if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || nComps ==0 || width >
INT_MAX / nComps) {

A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler-bugs/attachments/20170620/defd86c1/attachment.html>


More information about the Poppler-bugs mailing list