[poppler] poppler/XRef.cc
Albert Astals Cid
aacid at kemper.freedesktop.org
Tue May 22 17:32:27 UTC 2018
poppler/XRef.cc | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
New commits:
commit dbe330678766d1260d7f595d238e90aeae1194d6
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue May 22 19:31:34 2018 +0200
XRef::constructXRef: Prevent overflow when calculating newSize
fixes oss-fuzz/8421
diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index 25bc18a4..089c2eb2 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -866,7 +866,6 @@ GBool XRef::constructXRef(GBool *wasReconstructed, GBool needCatalogDict) {
char buf[256];
Goffset pos;
int num, gen;
- int newSize;
int streamEndsSize;
char *p;
GBool gotRoot;
@@ -961,7 +960,11 @@ GBool XRef::constructXRef(GBool *wasReconstructed, GBool needCatalogDict) {
while (*p && isspace(*p & 0xff)) ++p;
if (!strncmp(p, "obj", 3)) {
if (num >= size) {
- newSize = (num + 1 + 255) & ~255;
+ if (unlikely(num >= INT_MAX - 1 - 255)) {
+ error(errSyntaxError, -1, "Bad object number");
+ return gFalse;
+ }
+ const int newSize = (num + 1 + 255) & ~255;
if (newSize < 0) {
error(errSyntaxError, -1, "Bad object number");
return gFalse;
More information about the poppler
mailing list