[poppler] poppler/JPXStream.cc

Wed, 27 Jun 2012 15:19:21 -0700 

 poppler/JPXStream.cc |   14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

New commits:
commit 2b8d95aeede56c75699bb83ca3b23ea199b81c2c
Author: Albert Astals Cid <[email protected]>
Date:   Thu Jun 28 00:18:07 2012 +0200

    Add some security checks to JPXStream decoding
    
    Fixes crash in broken/fuzzed pdf sent by Mateusz "j00ru" Jurczyk and 
Gynvael Coldwind

diff --git a/poppler/JPXStream.cc b/poppler/JPXStream.cc
index 54bee6f..2cf616d 100644
--- a/poppler/JPXStream.cc
+++ b/poppler/JPXStream.cc
@@ -13,7 +13,7 @@
 // All changes made under the Poppler project to this file are licensed
 // under GPL version 2 or later
 //
-// Copyright (C) 2008 Albert Astals Cid <[email protected]>
+// Copyright (C) 2008, 2012 Albert Astals Cid <[email protected]>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -416,6 +416,10 @@ void JPXStream::fillReadBuf() {
 #endif
     tx = jpxCeilDiv((curX - img.xTileOffset) % img.xTileSize, tileComp->hSep);
     ty = jpxCeilDiv((curY - img.yTileOffset) % img.yTileSize, tileComp->vSep);
+    if (unlikely(ty >= (tileComp->y1 - tileComp->y0))) {
+      error(errSyntaxError, getPos(), "Unexpected ty in fillReadBuf in JPX 
stream");
+      return;
+    }
     pix = (int)tileComp->data[ty * (tileComp->x1 - tileComp->x0) + tx];
     pixBits = tileComp->prec;
 #if 1 //~ ignore the palette, assume the PDF ColorSpace object is valid
@@ -2846,7 +2850,13 @@ void JPXStream::inverseTransformLevel(JPXTileComp 
*tileComp,
        cover(102);
        ++shift;
       }
-      t = tileComp->quantSteps[qStyle == 1 ? 0 : (3*r - 2 + sb)];
+      const Guint stepIndex = qStyle == 1 ? 0 : (3*r - 2 + sb);
+      if (unlikely(stepIndex >= tileComp->nQuantSteps)) {
+       error(errSyntaxError, getPos(),
+             "Wrong index for quantSteps in inverseTransformLevel in JPX 
stream");
+       break;
+      }
+      t = tileComp->quantSteps[stepIndex];
       mu = (double)(0x800 + (t & 0x7ff)) / 2048.0;
     }
     if (tileComp->transform == 0) {
_______________________________________________
poppler mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/poppler

Reply via email to