[poppler] poppler/ImageEmbeddingUtils.cc

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Wed Dec 1 08:11:55 UTC 2021 

 poppler/ImageEmbeddingUtils.cc |   20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

New commits:
commit 27466086ec5c4ca1a15684d034b6a27e76fe8ba6
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Nov 30 00:24:28 2021 +0100

    PngEmbedder::embedImage: Make sure we don't overflow doing the multiplications

diff --git a/poppler/ImageEmbeddingUtils.cc b/poppler/ImageEmbeddingUtils.cc
index 4abdfc35..5c50f126 100644
--- a/poppler/ImageEmbeddingUtils.cc
+++ b/poppler/ImageEmbeddingUtils.cc
@@ -23,6 +23,7 @@ extern "C" {
 
 #include "ImageEmbeddingUtils.h"
 #include "goo/gmem.h"
+#include "goo/GooCheckedOps.h"
 #include "Object.h"
 #include "Array.h"
 #include "Error.h"
@@ -256,9 +257,24 @@ public:
 Ref PngEmbedder::embedImage(XRef *xref)
 {
     // Read pixels.
-    const Goffset mainBufferSize = m_width * m_height * m_nWithoutAlpha * m_byteDepth;
+    Goffset area;
+    if (checkedMultiply(static_cast<Goffset>(m_width), static_cast<Goffset>(m_height), &area)) {
+        error(errIO, -1, "PngEmbedder::embedImage: width * height overflows Goffset");
+        return Ref::INVALID();
+    }
+    Goffset maskBufferSize;
+    static_assert(sizeof(Goffset) >= sizeof(m_byteDepth));
+    if (checkedMultiply(area, static_cast<Goffset>(m_byteDepth), &maskBufferSize)) {
+        error(errIO, -1, "PngEmbedder::embedImage: width * height * m_byteDepth overflows Goffset");
+        return Ref::INVALID();
+    }
+    Goffset mainBufferSize;
+    static_assert(sizeof(Goffset) >= sizeof(m_nWithoutAlpha));
+    if (checkedMultiply(maskBufferSize, static_cast<Goffset>(m_nWithoutAlpha), &mainBufferSize)) {
+        error(errIO, -1, "PngEmbedder::embedImage: width * height * m_byteDepth * m_nWithoutAlpha overflows Goffset");
+        return Ref::INVALID();
+    }
     png_bytep mainBuffer = (png_bytep)gmalloc(mainBufferSize);
-    const Goffset maskBufferSize = m_width * m_height * m_byteDepth;
     png_bytep maskBuffer = (m_hasAlpha) ? (png_bytep)gmalloc(maskBufferSize) : nullptr;
     readPixels(mainBuffer, maskBuffer);

More information about the poppler mailing list