[poppler] poppler/JBIG2Stream.cc
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Thu Aug 30 16:33:45 UTC 2018
poppler/JBIG2Stream.cc | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
New commits:
commit ad107bbb8e4d8eb1a23e530d040d5b11bb8ff859
Author: Albert Astals Cid <aacid at kde.org>
Date: Thu Aug 30 18:28:50 2018 +0200
JBIG2Bitmap: Fix overflow check
Fixes oss-fuzz/10113
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 25df3db8..474fa918 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -2966,17 +2966,19 @@ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h,
if (mmr) {
mmrDecoder->reset();
- if (w > INT_MAX - 2) {
- error(errSyntaxError, curStr->getPos(), "Bad width in JBIG2 generic bitmap");
- delete bitmap;
- return nullptr;
- }
// 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = w
// ---> max codingLine size = w + 1
// refLine has one extra guard entry at the end
// ---> max refLine size = w + 2
- codingLine = (int *)gmallocn(w + 1, sizeof(int));
- refLine = (int *)gmallocn(w + 2, sizeof(int));
+ codingLine = (int *)gmallocn_checkoverflow(w + 1, sizeof(int));
+ refLine = (int *)gmallocn_checkoverflow(w + 2, sizeof(int));
+
+ if (unlikely(!codingLine || !refLine)) {
+ error(errSyntaxError, curStr->getPos(), "Bad width in JBIG2 generic bitmap");
+ delete bitmap;
+ return nullptr;
+ }
+
memset(refLine, 0, (w + 2) * sizeof(int));
for (i = 0; i < w + 1; ++i) codingLine[i] = w;
More information about the poppler
mailing list