[poppler] poppler/XRef.cc

Albert Astals Cid aacid at kemper.freedesktop.org
Tue May 22 17:32:27 UTC 2018


 poppler/XRef.cc |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

New commits:
commit dbe330678766d1260d7f595d238e90aeae1194d6
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue May 22 19:31:34 2018 +0200

    XRef::constructXRef: Prevent overflow when calculating newSize
    
    fixes oss-fuzz/8421

diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index 25bc18a4..089c2eb2 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -866,7 +866,6 @@ GBool XRef::constructXRef(GBool *wasReconstructed, GBool needCatalogDict) {
   char buf[256];
   Goffset pos;
   int num, gen;
-  int newSize;
   int streamEndsSize;
   char *p;
   GBool gotRoot;
@@ -961,7 +960,11 @@ GBool XRef::constructXRef(GBool *wasReconstructed, GBool needCatalogDict) {
 	      while (*p && isspace(*p & 0xff)) ++p;
 	      if (!strncmp(p, "obj", 3)) {
 		if (num >= size) {
-		  newSize = (num + 1 + 255) & ~255;
+		  if (unlikely(num >= INT_MAX - 1 - 255)) {
+		    error(errSyntaxError, -1, "Bad object number");
+		    return gFalse;
+		  }
+		  const int newSize = (num + 1 + 255) & ~255;
 		  if (newSize < 0) {
 		    error(errSyntaxError, -1, "Bad object number");
 		    return gFalse;


More information about the poppler mailing list