[poppler] poppler/JBIG2Stream.cc

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Sun Aug 22 16:10:20 UTC 2021


 poppler/JBIG2Stream.cc |   26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

New commits:
commit 69b2bb9bb0b9ed52f25f4471ee161a4ce15deb23
Author: Even Rouault <even.rouault at spatialys.com>
Date:   Sat Aug 21 00:05:55 2021 +0200

    JBIG2Stream.cc: use gmallocn_checkoverflow() instead of gmallocn()
    
    This should hopefully fix the crash of https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29638
    (on the GDAL project in its PDF driver), although I didn't manage to
    reproduce it with the reproducer attached to the ticket
    
    The mentioned stack trace was:
    
    ```
    0 0xf7ef2b19 in [vdso]
    1 0xf7cc1d08 in raise
    2 0xf7cc3206 in abort
    3 0xbec0a39 in gmalloc(unsigned int, bool) gdal/poppler/goo/gmem.h:52:5
    4 0xbef9a06 in gmallocn(int, int, bool) gdal/poppler/goo/gmem.h:119:12
    5 0xc211923 in JBIG2Stream::readSymbolDictSeg(unsigned int, unsigned int, unsigned int*, unsigned int) gdal/poppler/poppler/JBIG2Stream.cc:1650:37
    6 0xc20e607 in JBIG2Stream::readSegments() gdal/poppler/poppler/JBIG2Stream.cc:1331:18
    7 0xc20d72f in JBIG2Stream::reset() gdal/poppler/poppler/JBIG2Stream.cc:1171:5
    ```

diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 725b2cf9..78c273dd 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -1284,7 +1284,10 @@ void JBIG2Stream::readSegments()
         }
 
         // referred-to segment numbers
-        refSegs = (unsigned int *)gmallocn(nRefSegs, sizeof(unsigned int));
+        refSegs = (unsigned int *)gmallocn_checkoverflow(nRefSegs, sizeof(unsigned int));
+        if (nRefSegs > 0 && !refSegs) {
+            return;
+        }
         if (segNum <= 256) {
             for (unsigned int i = 0; i < nRefSegs; ++i) {
                 if (!readUByte(&refSegs[i])) {
@@ -1654,7 +1657,10 @@ bool JBIG2Stream::readSymbolDictSeg(unsigned int segNum, unsigned int length, un
 
     // allocate symbol widths storage
     if (huff && !refAgg) {
-        symWidths = (unsigned int *)gmallocn(numNewSyms, sizeof(unsigned int));
+        symWidths = (unsigned int *)gmallocn_checkoverflow(numNewSyms, sizeof(unsigned int));
+        if (numNewSyms > 0 && !symWidths) {
+            goto syntaxError;
+        }
     }
 
     symHeight = 0;
@@ -1985,7 +1991,10 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless
     }
 
     // get the symbol bitmaps
-    syms = (JBIG2Bitmap **)gmallocn(numSyms, sizeof(JBIG2Bitmap *));
+    syms = (JBIG2Bitmap **)gmallocn_checkoverflow(numSyms, sizeof(JBIG2Bitmap *));
+    if (numSyms > 0 && !syms) {
+        return;
+    }
     kk = 0;
     for (i = 0; i < nRefSegs; ++i) {
         if ((seg = findSegment(refSegs[i]))) {
@@ -2113,7 +2122,11 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless
     }
 
     if (huff) {
-        symCodeTab = (JBIG2HuffmanTable *)gmallocn(numSyms + 1, sizeof(JBIG2HuffmanTable));
+        symCodeTab = (JBIG2HuffmanTable *)gmallocn_checkoverflow(numSyms + 1, sizeof(JBIG2HuffmanTable));
+        if (!symCodeTab) {
+            gfree(syms);
+            return;
+        }
         for (i = 0; i < numSyms; ++i) {
             symCodeTab[i].val = i;
             symCodeTab[i].rangeLen = 0;
@@ -2607,7 +2620,10 @@ void JBIG2Stream::readHalftoneRegionSeg(unsigned int segNum, bool imm, bool loss
     }
 
     // read the gray-scale image
-    grayImg = (unsigned int *)gmallocn(gridW * gridH, sizeof(unsigned int));
+    grayImg = (unsigned int *)gmallocn_checkoverflow(gridW * gridH, sizeof(unsigned int));
+    if (!grayImg) {
+        return;
+    }
     memset(grayImg, 0, gridW * gridH * sizeof(unsigned int));
     atx[0] = templ <= 1 ? 3 : 2;
     aty[0] = -1;


More information about the poppler mailing list