<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - pdftocairo crashes on converting big images in PDFs"
href="https://bugs.freedesktop.org/show_bug.cgi?id=100056#c2">Comment # 2</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - pdftocairo crashes on converting big images in PDFs"
href="https://bugs.freedesktop.org/show_bug.cgi?id=100056">bug 100056</a>
from <span class="vcard"><a class="email" href="mailto:foca@salesforce.com" title="Francisco <foca@salesforce.com>"> <span class="fn">Francisco</span></a>
</span></b>
<pre>This bug is in the cairo backend component of poppler, in
CairoOutputDev.cc:3090.
3087 buffer = cairo_image_surface_get_data (image);
3088 stride = cairo_image_surface_get_stride (image);
3089 for (int y = 0; y < height; y++) {
3090 uint32_t *dest = (uint32_t *) (buffer + y * stride);
3091 getRow(y, dest);
3092 }
The vulnerability is an integer overflow with the operation y * stride is
calculated. y and stride are signed int variables. So the y * stride can be
overflown in certain situations. When this happens the result of y * stride is
a negative number that gets added (subtracted) to buffer.
The result is the variable data pointing to an invalid area and the program
crashing.
A possible fix is to replace:
3078 int stride;
3089 for (int y = 0; y < height; y++) {
for:
3078 unsigned int stride;
3089 for (unsigned int y = 0; y < height; y++) {</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>