<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Division by 0 at Function.cc:1626"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101500">101500</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Division by 0 at Function.cc:1626
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>minor
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>foca@salesforce.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=132064" name="attach_132064" title="Proof of concept">attachment 132064</a> <a href="attachment.cgi?id=132064&action=edit" title="Proof of concept">[details]</a></span>
Proof of concept

There is a division by 0 that leads to a SIGFPE.

The vulnerability is in the Function.cc:1626 in the PostScriptFunction::exec
function below.

1623          case psOpIdiv:
1624            i2 = stack->popInt();
1625            i1 = stack->popInt();
1626            stack->pushInt(i1 / i2);

popInt() is called twice and the value is stored in i2 and i1. In both cases a
0 is returned causing i1/i2 to SIGFPE. PopInt is seen below. The 0 is returned
because the if condition does not satisfy. checkType returns 0.

int popInt()
  {
    if (checkUnderflow() && checkType(psInt, psInt)) {
      return stack[sp++].intg;
    }
    return 0;
  }

CheckType validates that the object being popped is the same type as the
function requests (popInt). This check is failed because the type at the
stack[sp] is psReal.

GBool checkType(PSObjectType t1, PSObjectType t2)
  {
    if (stack[sp].type != t1 && stack[sp].type != t2) {
      error(-1, "Type mismatch in PostScript function");
      return gFalse;
    }
    return gTrue;
  }
  PSObject stack[psStackSize];
  int sp;
};

The solution could be to check for i2 != 0 before doing the division.

PoC attached.

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>