[poppler] poppler/Hints.cc

Tue May 22 20:02:01 UTC 2018

poppler/Hints.cc |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

New commits:
commit 083bfa59378be1c008cb6543f7e9bebde29a4079
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue May 22 22:01:35 2018 +0200

    nBitsDiffObjects can only be 32 as per spec
    
    fixes oss-fuzz/8464

diff --git a/poppler/Hints.cc b/poppler/Hints.cc
index 2f5fec6c..ecee0468 100644
--- a/poppler/Hints.cc
+++ b/poppler/Hints.cc
@@ -5,7 +5,7 @@
 // This file is licensed under the GPLv2 or later
 //
 // Copyright 2010, 2012 Hib Eris <hib at hiberis.nl>
-// Copyright 2010, 2011, 2013, 2014, 2016, 2017 Albert Astals Cid <aacid at kde.org>
+// Copyright 2010, 2011, 2013, 2014, 2016-2018 Albert Astals Cid <aacid at kde.org>
 // Copyright 2010, 2013 Pino Toscano <pino at kde.org>
 // Copyright 2013 Adrian Johnson <ajohnson at redneon.com>
 // Copyright 2014 Fabio D'Urso <fabiodurso at hotmail.it>
@@ -258,6 +258,11 @@ GBool Hints::readPageOffsetTable(Stream *str)
   if (objectOffsetFirst >= hintsOffset) objectOffsetFirst += hintsLength;
 
   nBitsDiffObjects = sbr.readBits(16);
+  if (nBitsDiffObjects > 32) {
+    error(errSyntaxWarning, -1, "Invalid number of bits needed to represent the difference between the greatest and least number of objects in a page");
+    nPages = 0;
+    return gFalse;
+  }
 
   pageLengthLeast = sbr.readBits(32);
 
