[poppler] poppler/GfxState.cc

Albert Astals Cid aacid at kemper.freedesktop.org
Sun Nov 12 23:37:47 UTC 2017 

 poppler/GfxState.cc |   28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

New commits:
commit e84338a44f27afb9872cb108fc29683b35ac55f7
Author: Albert Astals Cid <aacid at kde.org>
Date:   Mon Nov 13 00:37:00 2017 +0100

    GfxLabColorSpace::parse: Fix crash in broken documents
    
    Bug #103582

diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index 3e30edf0..aeb9534f 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -1558,34 +1558,42 @@ GfxColorSpace *GfxLabColorSpace::parse(Array *arr, GfxState *state) {
     return NULL;
   }
   cs = new GfxLabColorSpace();
+  bool ok = true;
   obj2 = obj1.dictLookup("WhitePoint");
   if (obj2.isArray() && obj2.arrayGetLength() == 3) {
     Object obj3 = obj2.arrayGet(0);
-    cs->whiteX = obj3.getNum();
+    cs->whiteX = obj3.getNum(&ok);
     obj3 = obj2.arrayGet(1);
-    cs->whiteY = obj3.getNum();
+    cs->whiteY = obj3.getNum(&ok);
     obj3 = obj2.arrayGet(2);
-    cs->whiteZ = obj3.getNum();
+    cs->whiteZ = obj3.getNum(&ok);
   }
   obj2 = obj1.dictLookup("BlackPoint");
   if (obj2.isArray() && obj2.arrayGetLength() == 3) {
     Object obj3 = obj2.arrayGet(0);
-    cs->blackX = obj3.getNum();
+    cs->blackX = obj3.getNum(&ok);
     obj3 = obj2.arrayGet(1);
-    cs->blackY = obj3.getNum();
+    cs->blackY = obj3.getNum(&ok);
     obj3 = obj2.arrayGet(2);
-    cs->blackZ = obj3.getNum();
+    cs->blackZ = obj3.getNum(&ok);
   }
   obj2 = obj1.dictLookup("Range");
   if (obj2.isArray() && obj2.arrayGetLength() == 4) {
     Object obj3 = obj2.arrayGet(0);
-    cs->aMin = obj3.getNum();
+    cs->aMin = obj3.getNum(&ok);
     obj3 = obj2.arrayGet(1);
-    cs->aMax = obj3.getNum();
+    cs->aMax = obj3.getNum(&ok);
     obj3 = obj2.arrayGet(2);
-    cs->bMin = obj3.getNum();
+    cs->bMin = obj3.getNum(&ok);
     obj3 = obj2.arrayGet(3);
-    cs->bMax = obj3.getNum();
+    cs->bMax = obj3.getNum(&ok);
+  }
+
+  if (!ok) {
+      error(errSyntaxWarning, -1, "Bad Lab color space");
+      cs->transform = nullptr;
+      delete cs;
+      return nullptr;
   }
 
   cs->kr = 1 / (xyzrgb[0][0] * cs->whiteX +

More information about the poppler mailing list