[poppler] 2 commits - poppler/Catalog.cc

Albert Astals Cid aacid at kemper.freedesktop.org
Sun Sep 20 11:18:16 PDT 2015 

 poppler/Catalog.cc |   24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

New commits:
commit 9aa19159bff4db02889cba48b9b31e40247e5314
Author: Even Rouault <even.rouault at spatialys.com>
Date:   Fri Sep 11 13:56:05 2015 +0200

    Catalog::cachePageTree(): recover from out of memory condition

diff --git a/poppler/Catalog.cc b/poppler/Catalog.cc
index 8829057..a8c96ac 100644
--- a/poppler/Catalog.cc
+++ b/poppler/Catalog.cc
@@ -172,8 +172,8 @@ Catalog::~Catalog() {
       }
     }
     gfree(pages);
-    gfree(pageRefs);
   }
+  gfree(pageRefs);
   names.free();
   dests.free();
   delete destNameTree;
@@ -306,8 +306,14 @@ GBool Catalog::cachePageTree(int page)
     }
 
     pagesSize = getNumPages();
-    pages = (Page **)gmallocn(pagesSize, sizeof(Page *));
-    pageRefs = (Ref *)gmallocn(pagesSize, sizeof(Ref));
+    pages = (Page **)gmallocn_checkoverflow(pagesSize, sizeof(Page *));
+    pageRefs = (Ref *)gmallocn_checkoverflow(pagesSize, sizeof(Ref));
+    if (pages == NULL || pageRefs == NULL ) {
+      error(errSyntaxError, -1, "Cannot allocate page cache");
+      pagesDict->decRef();
+      pagesSize = 0;
+      return gFalse;
+    }
     for (int i = 0; i < pagesSize; ++i) {
       pages[i] = NULL;
       pageRefs[i].num = -1;
commit 8dc9187690de10f1538764972799a39660272d1f
Author: Even Rouault <even.rouault at spatialys.com>
Date:   Fri Sep 11 13:30:32 2015 +0200

    Catalog::getNumPages(): validate page count

diff --git a/poppler/Catalog.cc b/poppler/Catalog.cc
index 04caa1c..8829057 100644
--- a/poppler/Catalog.cc
+++ b/poppler/Catalog.cc
@@ -31,6 +31,7 @@
 // Copyright (C) 2013 Adrian Johnson <ajohnson at redneon.com>
 // Copyright (C) 2013 José Aliste <jaliste at src.gnome.org>
 // Copyright (C) 2014 Ed Porras <ed at moto-research.com>
+// Copyright (C) 2015 Even Rouault <even.rouault at spatialys.com>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -856,6 +857,17 @@ int Catalog::getNumPages()
       }
     } else {
       numPages = (int)obj.getNum();
+      if (numPages <= 0) {
+        error(errSyntaxError, -1,
+              "Invalid page count {0:d}", numPages);
+        numPages = 0;
+      } else if (numPages > xref->getNumObjects()) {
+        error(errSyntaxError, -1,
+              "Page count ({0:d}) larger than number of objects ({1:d})",
+              numPages, xref->getNumObjects());
+        numPages = 0;
+      }
+
     }
 
     catDict.free();

More information about the poppler mailing list