[poppler] poppler/SplashOutputDev.cc

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Thu Aug 26 07:15:52 UTC 2021 

 poppler/SplashOutputDev.cc |   70 +++++++++++++++++++++++++--------------------
 1 file changed, 39 insertions(+), 31 deletions(-)

New commits:
commit f51d2519590369107c27d0f3a078819e1df889fb
Author: Even Rouault <even.rouault at spatialys.com>
Date:   Wed Aug 25 21:52:26 2021 +0200

    SplashOutputDev::drawImage(): Fix abort() in failed gmallocn
    
    Fail following crash on reproducer test case of
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27810
    
    Crash stack on ``pdftoppm -png clusterfuzz-testcase-minimized-gdal_fuzzer-5753490332450816.fuzz`` is:
    ```
    0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    1  0x00007ffff7746859 in __GI_abort () at abort.c:79
    2  0x00007ffff7cff44e in gmallocn (count=count at entry=1073741824, size=size at entry=3, checkoverflow=checkoverflow at entry=false) at /home/even/poppler/goo/gmem.h:116
    3  0x00007ffff7e584d4 in SplashOutputDev::drawImage (this=0x5555555b6b00, state=0x5555555bb360, ref=<optimized out>, str=0x5555555dc6e0, width=19, height=<optimized out>, colorMap=0x7fffffffd2c0,
       interpolate=false, maskColors=0x0, inlineImg=false) at /home/even/poppler/poppler/SplashOutputDev.cc:3286
    4  0x00007ffff7d764a6 in Gfx::doImage (this=this at entry=0x5555555b9460, ref=ref at entry=0x7fffffffd820, str=<optimized out>, inlineImg=inlineImg at entry=false) at /home/even/poppler/poppler/Gfx.cc:4563
    5  0x00007ffff7d773ca in Gfx::opXObject (this=0x5555555b9460, args=<optimized out>, numArgs=<optimized out>) at /home/even/poppler/poppler/Gfx.cc:4105
    6  0x00007ffff7d70dc7 in Gfx::go (this=this at entry=0x5555555b9460, topLevel=topLevel at entry=true) at /home/even/poppler/poppler/Gfx.cc:681
      0x00007ffff7d711f5 in Gfx::display (this=this at entry=0x5555555b9460, obj=obj at entry=0x7fffffffdc00, topLevel=topLevel at entry=true) at /home/even/poppler/poppler/Gfx.cc:642
    8  0x00007ffff7dd2758 in Page::displaySlice (this=0x5555555b5ff0, out=0x5555555b6b00, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>,
       crop=<optimized out>, sliceX=<optimized out>, sliceY=0, sliceW=230, sliceH=230, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0,
       annotDisplayDecideCbk=0x55555555a110 <<lambda(Annot*, void*)>::_FUN(Annot *, void *)>, annotDisplayDecideCbkData=0x0, copyXRef=false) at /home/even/poppler/poppler/Page.cc:576
    9  0x000055555555a633 in savePageSlice (doc=<optimized out>, splashOut=0x5555555b6b00, pg=1, x=<optimized out>, y=<optimized out>, w=<optimized out>, h=<optimized out>, pg_w=<optimized out>,
       pg_h=<optimized out>, ppmFile=0x0) at /home/even/poppler/utils/pdftoppm.cc:288
    10 0x0000555555559232 in main (argc=<optimized out>, argv=<optimized out>) at /home/even/poppler/utils/pdftoppm.cc:684
    ```

diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc
index 3fd590b8..eb773479 100644
--- a/poppler/SplashOutputDev.cc
+++ b/poppler/SplashOutputDev.cc
@@ -3274,22 +3274,26 @@ void SplashOutputDev::drawImage(GfxState *state, Object *ref, Stream *str, int w
         switch (colorMode) {
         case splashModeMono1:
         case splashModeMono8:
-            imgData.lookup = (SplashColorPtr)gmalloc(n);
-            for (i = 0; i < n; ++i) {
-                pix = (unsigned char)i;
-                colorMap->getGray(&pix, &gray);
-                imgData.lookup[i] = colToByte(gray);
+            imgData.lookup = (SplashColorPtr)gmalloc_checkoverflow(n);
+            if (likely(imgData.lookup != nullptr)) {
+                for (i = 0; i < n; ++i) {
+                    pix = (unsigned char)i;
+                    colorMap->getGray(&pix, &gray);
+                    imgData.lookup[i] = colToByte(gray);
+                }
             }
             break;
         case splashModeRGB8:
         case splashModeBGR8:
-            imgData.lookup = (SplashColorPtr)gmallocn(n, 3);
-            for (i = 0; i < n; ++i) {
-                pix = (unsigned char)i;
-                colorMap->getRGB(&pix, &rgb);
-                imgData.lookup[3 * i] = colToByte(rgb.r);
-                imgData.lookup[3 * i + 1] = colToByte(rgb.g);
-                imgData.lookup[3 * i + 2] = colToByte(rgb.b);
+            imgData.lookup = (SplashColorPtr)gmallocn_checkoverflow(n, 3);
+            if (likely(imgData.lookup != nullptr)) {
+                for (i = 0; i < n; ++i) {
+                    pix = (unsigned char)i;
+                    colorMap->getRGB(&pix, &rgb);
+                    imgData.lookup[3 * i] = colToByte(rgb.r);
+                    imgData.lookup[3 * i + 1] = colToByte(rgb.g);
+                    imgData.lookup[3 * i + 2] = colToByte(rgb.b);
+                }
             }
             break;
         case splashModeXBGR8:
@@ -3307,32 +3311,36 @@ void SplashOutputDev::drawImage(GfxState *state, Object *ref, Stream *str, int w
             break;
         case splashModeCMYK8:
             grayIndexed = colorMap->getColorSpace()->getMode() != csDeviceGray;
-            imgData.lookup = (SplashColorPtr)gmallocn(n, 4);
-            for (i = 0; i < n; ++i) {
-                pix = (unsigned char)i;
-                colorMap->getCMYK(&pix, &cmyk);
-                if (cmyk.c != 0 || cmyk.m != 0 || cmyk.y != 0) {
-                    grayIndexed = false;
+            imgData.lookup = (SplashColorPtr)gmallocn_checkoverflow(n, 4);
+            if (likely(imgData.lookup != nullptr)) {
+                for (i = 0; i < n; ++i) {
+                    pix = (unsigned char)i;
+                    colorMap->getCMYK(&pix, &cmyk);
+                    if (cmyk.c != 0 || cmyk.m != 0 || cmyk.y != 0) {
+                        grayIndexed = false;
+                    }
+                    imgData.lookup[4 * i] = colToByte(cmyk.c);
+                    imgData.lookup[4 * i + 1] = colToByte(cmyk.m);
+                    imgData.lookup[4 * i + 2] = colToByte(cmyk.y);
+                    imgData.lookup[4 * i + 3] = colToByte(cmyk.k);
                 }
-                imgData.lookup[4 * i] = colToByte(cmyk.c);
-                imgData.lookup[4 * i + 1] = colToByte(cmyk.m);
-                imgData.lookup[4 * i + 2] = colToByte(cmyk.y);
-                imgData.lookup[4 * i + 3] = colToByte(cmyk.k);
             }
             break;
         case splashModeDeviceN8:
             colorMap->getColorSpace()->createMapping(bitmap->getSeparationList(), SPOT_NCOMPS);
             grayIndexed = colorMap->getColorSpace()->getMode() != csDeviceGray;
-            imgData.lookup = (SplashColorPtr)gmallocn(n, SPOT_NCOMPS + 4);
-            for (i = 0; i < n; ++i) {
-                pix = (unsigned char)i;
-                colorMap->getCMYK(&pix, &cmyk);
-                if (cmyk.c != 0 || cmyk.m != 0 || cmyk.y != 0) {
-                    grayIndexed = false;
+            imgData.lookup = (SplashColorPtr)gmallocn_checkoverflow(n, SPOT_NCOMPS + 4);
+            if (likely(imgData.lookup != nullptr)) {
+                for (i = 0; i < n; ++i) {
+                    pix = (unsigned char)i;
+                    colorMap->getCMYK(&pix, &cmyk);
+                    if (cmyk.c != 0 || cmyk.m != 0 || cmyk.y != 0) {
+                        grayIndexed = false;
+                    }
+                    colorMap->getDeviceN(&pix, &deviceN);
+                    for (int cp = 0; cp < SPOT_NCOMPS + 4; cp++)
+                        imgData.lookup[(SPOT_NCOMPS + 4) * i + cp] = colToByte(deviceN.c[cp]);
                 }
-                colorMap->getDeviceN(&pix, &deviceN);
-                for (int cp = 0; cp < SPOT_NCOMPS + 4; cp++)
-                    imgData.lookup[(SPOT_NCOMPS + 4) * i + cp] = colToByte(deviceN.c[cp]);
             }
             break;
         }

More information about the poppler mailing list