<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Division by zero in Stream.cc:471"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101526">101526</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Division by zero in Stream.cc:471
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>foca@salesforce.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=132096" name="attach_132096" title="Proof of concept">attachment 132096</a> <a href="attachment.cgi?id=132096&action=edit" title="Proof of concept">[details]</a></span>
Proof of concept

There is a division by zero in Stream.cc:471. In the ImageStream constructor,
INT_MAX is divided by nComps, parsing the attached PoC.pdf case nComps has the
value 0. The division by 0 caused a SIGFPE crash

 461 ImageStream::ImageStream(Stream *strA, int widthA, int nCompsA, int
nBitsA) {
 462   int imgLineSize;
 463 
 464   str = strA;
 465   width = widthA;
 466   nComps = nCompsA;
 467   nBits = nBitsA;
 468 
 469   nVals = width * nComps;
 470   inputLineSize = (nVals * nBits + 7) >> 3;
 471   if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || width > INT_MAX /
nComps) {
 472     inputLineSize = -1;
 473   }

A possible solution is to check for this case:
 471   if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || nComps ==0 || width >
INT_MAX / nComps) {

A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>