[poppler] poppler/GfxState.cc poppler/Object.h

[Albert Astals Cid]

 poppler/GfxState.cc |   18 ++++++++++++------
 poppler/Object.h    |    7 +++++++
 2 files changed, 19 insertions(+), 6 deletions(-)

New commits:
commit aa03a71c3a1127cffd19bb0f596c4b361a7f2269
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sun May 21 22:37:23 2017 +0200

    Fix abort in files with broken Decode arrays
    
    Fixes KDE bug #379835

diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index 2c81dfbe..b17925f4 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -5311,24 +5311,30 @@ GfxPatchMeshShading *GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di
   obj1.free();
   if (dict->lookup("Decode", &obj1)->isArray() &&
       obj1.arrayGetLength() >= 6) {
-    xMin = obj1.arrayGet(0, &obj2)->getNum();
+    bool decodeOk = true;
+    xMin = obj1.arrayGet(0, &obj2)->getNum(&decodeOk);
     obj2.free();
-    xMax = obj1.arrayGet(1, &obj2)->getNum();
+    xMax = obj1.arrayGet(1, &obj2)->getNum(&decodeOk);
     obj2.free();
     xMul = (xMax - xMin) / (pow(2.0, coordBits) - 1);
-    yMin = obj1.arrayGet(2, &obj2)->getNum();
+    yMin = obj1.arrayGet(2, &obj2)->getNum(&decodeOk);
     obj2.free();
-    yMax = obj1.arrayGet(3, &obj2)->getNum();
+    yMax = obj1.arrayGet(3, &obj2)->getNum(&decodeOk);
     obj2.free();
     yMul = (yMax - yMin) / (pow(2.0, coordBits) - 1);
     for (i = 0; 5 + 2*i < obj1.arrayGetLength() && i < gfxColorMaxComps; ++i) {
-      cMin[i] = obj1.arrayGet(4 + 2*i, &obj2)->getNum();
+      cMin[i] = obj1.arrayGet(4 + 2*i, &obj2)->getNum(&decodeOk);
       obj2.free();
-      cMax[i] = obj1.arrayGet(5 + 2*i, &obj2)->getNum();
+      cMax[i] = obj1.arrayGet(5 + 2*i, &obj2)->getNum(&decodeOk);
       obj2.free();
       cMul[i] = (cMax[i] - cMin[i]) / (double)((1 << compBits) - 1);
     }
     nComps = i;
+
+    if (!decodeOk) {
+      error(errSyntaxWarning, -1, "Missing or invalid Decode array in shading dictionary");
+      goto err2;
+    }
   } else {
     error(errSyntaxWarning, -1, "Missing or invalid Decode array in shading dictionary");
     goto err2;
diff --git a/poppler/Object.h b/poppler/Object.h
index e3f8f378..e55ba687 100644
--- a/poppler/Object.h
+++ b/poppler/Object.h
@@ -208,6 +208,13 @@ public:
   // Where the exact value of integers up to 2^63 is required, use isInt64()/getInt64().
   double getNum() { OBJECT_3TYPES_CHECK(objInt, objInt64, objReal);
     return type == objInt ? (double)intg : type == objInt64 ? (double)int64g : real; }
+  double getNum(bool *ok) {
+    if (unlikely(type != objInt && type != objInt64 && type != objReal)) {
+      *ok = false;
+      return 0.;
+    }
+    return type == objInt ? (double)intg : type == objInt64 ? (double)int64g : real;
+  }
   GooString *getString() { OBJECT_TYPE_CHECK(objString); return string; }
   // After takeString() the only method that should be called for the object is free()
   // because the object it's not expected to have a NULL string.