[poppler] poppler/TextOutputDev.cc
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Tue Feb 19 16:05:11 UTC 2019
poppler/TextOutputDev.cc | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
New commits:
commit 69d86f90e30785a0db76d3898914de4c0782b947
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Feb 19 16:18:48 2019 +0100
TextOutputDev: Fix assert in broken file
oss-fuzz/13203
diff --git a/poppler/TextOutputDev.cc b/poppler/TextOutputDev.cc
index c3367883..dcb6ccb1 100644
--- a/poppler/TextOutputDev.cc
+++ b/poppler/TextOutputDev.cc
@@ -20,7 +20,7 @@
// Copyright (C) 2006 Jeff Muizelaar <jeff at infidigm.net>
// Copyright (C) 2007, 2008, 2012, 2017 Adrian Johnson <ajohnson at redneon.com>
// Copyright (C) 2008 Koji Otani <sho at bbr.jp>
-// Copyright (C) 2008, 2010-2012, 2014-2018 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2008, 2010-2012, 2014-2019 Albert Astals Cid <aacid at kde.org>
// Copyright (C) 2008 Pino Toscano <pino at kde.org>
// Copyright (C) 2008, 2010 Hib Eris <hib at hiberis.nl>
// Copyright (C) 2009 Ross Moore <ross at maths.mq.edu.au>
@@ -876,16 +876,14 @@ TextPool::~TextPool() {
}
int TextPool::getBaseIdx(double base) {
- int baseIdx;
-
- baseIdx = (int)(base / textPoolStep);
- if (baseIdx < minBaseIdx) {
+ const double baseIdxDouble = base / textPoolStep;
+ if (baseIdxDouble < minBaseIdx) {
return minBaseIdx;
}
- if (baseIdx > maxBaseIdx) {
+ if (baseIdxDouble > maxBaseIdx) {
return maxBaseIdx;
}
- return baseIdx;
+ return (int)baseIdxDouble;
}
void TextPool::addWord(TextWord *word) {
@@ -910,8 +908,13 @@ void TextPool::addWord(TextWord *word) {
}
} else if (wordBaseIdx < minBaseIdx) {
newMinBaseIdx = wordBaseIdx - 128;
- newPool = (TextWord **)gmallocn(maxBaseIdx - newMinBaseIdx + 1,
+ newPool = (TextWord **)gmallocn_checkoverflow(maxBaseIdx - newMinBaseIdx + 1,
sizeof(TextWord *));
+ if (unlikely(!newPool)) {
+ error(errSyntaxWarning, -1, "newPool would overflow");
+ delete word;
+ return;
+ }
for (baseIdx = newMinBaseIdx; baseIdx < minBaseIdx; ++baseIdx) {
newPool[baseIdx - newMinBaseIdx] = nullptr;
}
More information about the poppler
mailing list