[poppler] 2 commits - poppler/GfxState.cc poppler/JBIG2Stream.cc

[Albert Astals Cid]

 poppler/GfxState.cc    |   12 ++++++------
 poppler/JBIG2Stream.cc |    2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

New commits:
commit 8f4ff8243a3d599ff2a6c08b1da389e606ba4fc9
Author: Albert Astals Cid <aacid at kde.org>
Date:   Wed Jun 21 00:56:38 2017 +0200

    Fix crash in malformed documents

diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index e6cd329b..f61f8124 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -4034,18 +4034,18 @@ GfxUnivariateShading::~GfxUnivariateShading() {
 
 void GfxUnivariateShading::getColor(double t, GfxColor *color) {
   double out[gfxColorMaxComps];
-  int i, nComps;
+  int i;
+
+  // NB: there can be one function with n outputs or n functions with
+  // one output each (where n = number of color components)
+  const int nComps = nFuncs * funcs[0]->getOutputSize();
 
-  if (unlikely(nFuncs < 1)) {
+  if (unlikely(nFuncs < 1 || nComps > gfxColorMaxComps)) {
     for (int i = 0; i < gfxColorMaxComps; i++)
         color->c[i] = 0;
     return;
   }
 
-  // NB: there can be one function with n outputs or n functions with
-  // one output each (where n = number of color components)
-  nComps = nFuncs * funcs[0]->getOutputSize();
-
   if (cacheSize > 0) {
     double x, ix, *l, *u, *upper;
 
commit a3a98a6d83dfbf49f565f5aa2d7c07153a7f62fc
Author: Albert Astals Cid <aacid at kde.org>
Date:   Wed Jun 21 00:55:20 2017 +0200

    Fix crash in malformed documents

diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 48535883..d89108c8 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -896,7 +896,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y,
   oneByte = x0 == ((x1 - 1) & ~7);
 
   for (yy = y0; yy < y1; ++yy) {
-    if (unlikely(y + yy) >= h)
+    if (unlikely((y + yy >= h) || (y + yy < 0)))
       continue;
 
     // one byte per line -- need to mask both left and right side