[poppler] poppler/XRef.cc

Adrian Johnson ajohnson at kemper.freedesktop.org
Sat Jan 26 19:14:28 PST 2013 

 poppler/XRef.cc |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

New commits:
commit fe59ac914230b80aa82b314398a8a038ef083e06
Author: Adrian Johnson <ajohnson at redneon.com>
Date:   Sat Jan 26 16:44:49 2013 +1030

    Read 8 byte xref offsets when sizeof(Goffset) < 8
    
    and print an error if the offset read is too large for Goffset.
    
    Bug 56318

diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index 70008ea..deac6d7 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -41,6 +41,7 @@
 #include <math.h>
 #include <ctype.h>
 #include <limits.h>
+#include <limits>
 #include <float.h>
 #include "goo/gmem.h"
 #include "Object.h"
@@ -759,7 +760,7 @@ GBool XRef::readXRefStream(Stream *xrefStr, Goffset *pos) {
     }
   }
   obj.free();
-  if (w[0] > (int)sizeof(int) || w[1] > (int)sizeof(Goffset) || w[2] > (int)sizeof(int)) {
+  if (w[0] > (int)sizeof(int) || w[1] > (int)sizeof(long long) || w[2] > (int)sizeof(int)) {
     goto err1;
   }
 
@@ -818,7 +819,7 @@ GBool XRef::readXRefStream(Stream *xrefStr, Goffset *pos) {
 }
 
 GBool XRef::readXRefStreamSection(Stream *xrefStr, int *w, int first, int n) {
-  Goffset offset;
+  unsigned long long offset;
   int type, gen, c, i, j;
 
   if (first + n < 0) {
@@ -851,6 +852,10 @@ GBool XRef::readXRefStreamSection(Stream *xrefStr, int *w, int first, int n) {
       }
       offset = (offset << 8) + c;
     }
+    if (offset > (unsigned long long)std::numeric_limits<Goffset>::max()) {
+      error(errSyntaxError, -1, "Offset inside xref table too large for fseek");
+      return gFalse;
+    }
     for (gen = 0, j = 0; j < w[2]; ++j) {
       if ((c = xrefStr->getChar()) == EOF) {
 	return gFalse;

More information about the poppler mailing list