[poppler] 3 commits - fofi/FoFiTrueType.cc poppler/GfxState.cc poppler/PSOutputDev.cc

[GitLab Mirror]

 fofi/FoFiTrueType.cc   |    3 ++-
 poppler/GfxState.cc    |    6 +++++-
 poppler/PSOutputDev.cc |    4 ++++
 3 files changed, 11 insertions(+), 2 deletions(-)

New commits:
commit 0e6c3ff9bb4390d2b426a4cddbb638c19811055d
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Jan 5 00:09:43 2021 +0100

    Check obj1 is a stream before getting the stream
    
    It seems we already did this check a few lines above, and indeed we did,
    but on very broken documents, if arr[1] is a Ref, getting objects may
    end up in a reconstruct xref call which may end up changing the type of
    arr[1] the next time we ask for it
    
    oss-fuzz/29260

diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index cffa7c43..a9ce7a89 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -16,7 +16,7 @@
 // Copyright (C) 2005 Kristian Høgsberg <krh at redhat.com>
 // Copyright (C) 2006, 2007 Jeff Muizelaar <jeff at infidigm.net>
 // Copyright (C) 2006, 2010 Carlos Garcia Campos <carlosgc at gnome.org>
-// Copyright (C) 2006-2020 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2006-2021 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2009, 2012 Koji Otani <sho at bbr.jp>
 // Copyright (C) 2009, 2011-2016, 2020 Thomas Freitag <Thomas.Freitag at alfa.de>
 // Copyright (C) 2009, 2019 Christian Persch <chpe at gnome.org>
@@ -1713,6 +1713,10 @@ GfxColorSpace *GfxICCBasedColorSpace::parse(Array *arr, OutputDev *out, GfxState
 
 #ifdef USE_CMS
     obj1 = arr->get(1);
+    if (!obj1.isStream()) {
+        error(errSyntaxWarning, -1, "Bad ICCBased color space (stream)");
+        return nullptr;
+    }
     unsigned char *profBuf;
     Stream *iccStream = obj1.getStream();
     int length = 0;
commit 3ac779d9a9d2c63433d3765c82a2724947d86a15
Author: Albert Astals Cid <aacid at kde.org>
Date:   Mon Jan 4 23:54:52 2021 +0100

    FoFiTrueType::parse: If we don't have tables parsing didn't succeed
    
    oss-fuzz/29217

diff --git a/fofi/FoFiTrueType.cc b/fofi/FoFiTrueType.cc
index ce462c1e..a1396c55 100644
--- a/fofi/FoFiTrueType.cc
+++ b/fofi/FoFiTrueType.cc
@@ -16,7 +16,7 @@
 // Copyright (C) 2006 Takashi Iwai <tiwai at suse.de>
 // Copyright (C) 2007 Koji Otani <sho at bbr.jp>
 // Copyright (C) 2007 Carlos Garcia Campos <carlosgc at gnome.org>
-// Copyright (C) 2008, 2009, 2012, 2014-2020 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2008, 2009, 2012, 2014-2021 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2008 Tomas Are Haavet <tomasare at gmail.com>
 // Copyright (C) 2012 Suzuki Toshiya <mpsuzuki at hiroshima-u.ac.jp>
 // Copyright (C) 2012, 2017 Adrian Johnson <ajohnson at redneon.com>
@@ -1529,6 +1529,7 @@ void FoFiTrueType::parse()
         tables = (TrueTypeTable *)greallocn_checkoverflow(tables, nTables, sizeof(TrueTypeTable));
     }
     if (!parsedOk || tables == nullptr) {
+        parsedOk = false;
         return;
     }
 
commit e4346ae34b24ce84a4aeae539f26cab49497450c
Author: Albert Astals Cid <aacid at kde.org>
Date:   Mon Jan 4 23:39:54 2021 +0100

    PSOutputDev: protect against potential divide by 0
    
    oss-fuzz/29241

diff --git a/poppler/PSOutputDev.cc b/poppler/PSOutputDev.cc
index 9e88e32c..7e83c94c 100644
--- a/poppler/PSOutputDev.cc
+++ b/poppler/PSOutputDev.cc
@@ -3734,6 +3734,10 @@ void PSOutputDev::startPage(int pageNum, GfxState *state, XRef *xrefA)
             xScale = xScale0;
             yScale = yScale0;
         } else if ((globalParams->getPSShrinkLarger() && (width > imgWidth2 || height > imgHeight2)) || (globalParams->getPSExpandSmaller() && (width < imgWidth2 && height < imgHeight2))) {
+            if (unlikely(width == 0)) {
+                error(errSyntaxError, -1, "width 0, xScale would be infinite");
+                return;
+            }
             xScale = (double)imgWidth2 / (double)width;
             yScale = (double)imgHeight2 / (double)height;
             if (yScale < xScale) {