Hi, A too huge number may cause the gmallocn() in Catalog::cachePageTree() to crash even if we call it with a low page number.
Even -- Spatialys - Geospatial professional services http://www.spatialys.com
From b75cac1d3af0e79488063be5740ba1c8fb8f6876 Mon Sep 17 00:00:00 2001 From: Even Rouault <[email protected]> Date: Mon, 7 Sep 2015 21:03:12 +0200 Subject: [PATCH] Catalog::getNumPages(): validate page count A too huge number may cause the gmallocn() in Catalog::cachePageTree() to crash even if we call it with a low page number. --- poppler/Catalog.cc | 15 +++++++++++++++ 1 files changed, 15 insertions(+), 0 deletions(-) diff --git a/poppler/Catalog.cc b/poppler/Catalog.cc index 04caa1c..72f6997 100644 --- a/poppler/Catalog.cc +++ b/poppler/Catalog.cc @@ -856,6 +856,21 @@ int Catalog::getNumPages() } } else { numPages = (int)obj.getNum(); + + if (numPages <= 0 ) { + error(errSyntaxError, -1, + "Invalid page count {0:d}", numPages); + numPages = 0; + } + // to avoid too huge memory allocations layer and avoid crashes + // This is the maximum number of indirect objects as per ISO-32000:2008 (Table C-1) + // We could probably decrease that number again. PDFium for example uses 1 Mi + else if (numPages > 8 * 1024 * 1024) { + error(errSyntaxWarning, -1, + "Page count ({0:d}) too big. Limiting number of reported pages to 8 Mi", + numPages); + numPages = 8 * 1024 * 1024; + } } catDict.free(); -- 1.7.0.4
_______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
