[poppler] poppler/JBIG2Stream.cc
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Fri Aug 20 22:44:14 UTC 2021
poppler/JBIG2Stream.cc | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
New commits:
commit 73a236b23de3c0337bed0f89cb713c7831e2ad05
Author: Even Rouault <even.rouault at spatialys.com>
Date: Sat Aug 21 00:05:55 2021 +0200
JBIG2Stream.cc: use gmallocn_checkoverflow() instead of gmallocn()
This should hopefully fix the crash of https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29638
(on the GDAL project in its PDF driver), although I didn't manage to
reproduce it with the reproducer attached to the ticket
The mentioned stack trace was:
```
0 0xf7ef2b19 in [vdso]
1 0xf7cc1d08 in raise
2 0xf7cc3206 in abort
3 0xbec0a39 in gmalloc(unsigned int, bool) gdal/poppler/goo/gmem.h:52:5
4 0xbef9a06 in gmallocn(int, int, bool) gdal/poppler/goo/gmem.h:119:12
5 0xc211923 in JBIG2Stream::readSymbolDictSeg(unsigned int, unsigned int, unsigned int*, unsigned int) gdal/poppler/poppler/JBIG2Stream.cc:1650:37
6 0xc20e607 in JBIG2Stream::readSegments() gdal/poppler/poppler/JBIG2Stream.cc:1331:18
7 0xc20d72f in JBIG2Stream::reset() gdal/poppler/poppler/JBIG2Stream.cc:1171:5
```
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 725b2cf9..5def0be3 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -1284,7 +1284,10 @@ void JBIG2Stream::readSegments()
}
// referred-to segment numbers
- refSegs = (unsigned int *)gmallocn(nRefSegs, sizeof(unsigned int));
+ refSegs = (unsigned int *)gmallocn_checkoverflow(nRefSegs, sizeof(unsigned int));
+ if (!refSegs) {
+ return;
+ }
if (segNum <= 256) {
for (unsigned int i = 0; i < nRefSegs; ++i) {
if (!readUByte(&refSegs[i])) {
@@ -1654,7 +1657,10 @@ bool JBIG2Stream::readSymbolDictSeg(unsigned int segNum, unsigned int length, un
// allocate symbol widths storage
if (huff && !refAgg) {
- symWidths = (unsigned int *)gmallocn(numNewSyms, sizeof(unsigned int));
+ symWidths = (unsigned int *)gmallocn_checkoverflow(numNewSyms, sizeof(unsigned int));
+ if (!symWidths) {
+ goto syntaxError;
+ }
}
symHeight = 0;
@@ -1985,7 +1991,10 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless
}
// get the symbol bitmaps
- syms = (JBIG2Bitmap **)gmallocn(numSyms, sizeof(JBIG2Bitmap *));
+ syms = (JBIG2Bitmap **)gmallocn_checkoverflow(numSyms, sizeof(JBIG2Bitmap *));
+ if (!syms) {
+ return;
+ }
kk = 0;
for (i = 0; i < nRefSegs; ++i) {
if ((seg = findSegment(refSegs[i]))) {
@@ -2113,7 +2122,11 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless
}
if (huff) {
- symCodeTab = (JBIG2HuffmanTable *)gmallocn(numSyms + 1, sizeof(JBIG2HuffmanTable));
+ symCodeTab = (JBIG2HuffmanTable *)gmallocn_checkoverflow(numSyms + 1, sizeof(JBIG2HuffmanTable));
+ if (!symCodeTab) {
+ gfree(syms);
+ return;
+ }
for (i = 0; i < numSyms; ++i) {
symCodeTab[i].val = i;
symCodeTab[i].rangeLen = 0;
@@ -2607,7 +2620,10 @@ void JBIG2Stream::readHalftoneRegionSeg(unsigned int segNum, bool imm, bool loss
}
// read the gray-scale image
- grayImg = (unsigned int *)gmallocn(gridW * gridH, sizeof(unsigned int));
+ grayImg = (unsigned int *)gmallocn_checkoverflow(gridW * gridH, sizeof(unsigned int));
+ if (!grayImg) {
+ return;
+ }
memset(grayImg, 0, gridW * gridH * sizeof(unsigned int));
atx[0] = templ <= 1 ? 3 : 2;
aty[0] = -1;
More information about the poppler
mailing list