[poppler] [PATCH] Fix crash on invalid image

Sat, 03 Mar 2012 11:28:25 -0800 

Hi,

The attached patch fixes a SIGFPE when rendering the attached image (generated 
by a fuzzer)

$ valgrind ~/poppler-git/install/bin/pdftoppm gdal-131/session-665/byte.pdf 
out
==31362== Memcheck, a memory error detector
==31362== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==31362== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==31362== Command: /home/even/poppler-git/install/bin/pdftoppm 
gdal-131/session-665/byte.pdf out
==31362==
Syntax Error (1148): Unknown filter 'FnateDecode'
==31362==
==31362== Process terminating with default action of signal 8 (SIGFPE)
==31362==  Integer divide by zero at address 0x40325AF63
==31362==    at 0x4FE5201: ImageStream::ImageStream(Stream*, int, int, int) 
(Stream.cc:420)
==31362==    by 0x4F0F5E5: SplashOutputDev::drawImage(GfxState*, Object*, 
Stream*, int, int, GfxImageColorMap*, bool, int*, bool) 
(SplashOutputDev.cc:2999)
==31362==    by 0x4F7E591: Gfx::doImage(Object*, Stream*, bool) (Gfx.cc:4585)
==31362==    by 0x4F7CA3A: Gfx::opXObject(Object*, int) (Gfx.cc:4145)
==31362==    by 0x4F6BAE0: Gfx::execOp(Object*, Object*, int) (Gfx.cc:855)
==31362==    by 0x4F6B3E8: Gfx::go(bool) (Gfx.cc:714)
==31362==    by 0x4F6B201: Gfx::display(Object*, bool) (Gfx.cc:680)
==31362==    by 0x4FD6B71: Page::displaySlice(OutputDev*, double, double, int, 
bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, 
void*), void*) (Page.cc:485)
==31362==    by 0x4FDAACC: PDFDoc::displayPageSlice(OutputDev*, int, double, 
double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, 
bool (*)(Annot*, void*), void*) (PDFDoc.cc:500)
==31362==    by 0x40172E: savePageSlice(PDFDoc*, SplashOutputDev*, int, int, 
int, int, int, double, double, char*) (pdftoppm.cc:196)
==31362==    by 0x401F73: main (pdftoppm.cc:415)

Best regards,

diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 51b6fcd..a567060 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -4381,6 +4381,8 @@ void Gfx::doImage(Object *ref, Stream *str, GBool inlineImg) {
       obj1.free();
       dict->lookup("D", &obj1);
     }
+    if (bits == 0)
+      goto err2;
     colorMap = new GfxImageColorMap(bits, &obj1, colorSpace);
     obj1.free();
     if (!colorMap->isOk()) {

Attachment: byte_0_bits.pdf
Description: Adobe PDF document

_______________________________________________
poppler mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/poppler

Reply via email to