poppler/TextOutputDev.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
New commits: commit 7ee9dadef37b20bca707a6b1e858e17d191e368b Author: Jason Crain <[email protected]> Date: Thu Oct 5 15:32:13 2017 -0500 TextOutputDev: Fix crash in fuzzed file This file crashes pdftotext because it positions texts past INT_MIN, leading to overflow in subsequent calculations. Bug #103116 diff --git a/poppler/TextOutputDev.cc b/poppler/TextOutputDev.cc index d30874cf..14002407 100644 --- a/poppler/TextOutputDev.cc +++ b/poppler/TextOutputDev.cc @@ -30,7 +30,7 @@ // Copyright (C) 2010 Suzuki Toshiya <[email protected]> // Copyright (C) 2011 Sam Liao <[email protected]> // Copyright (C) 2012 Horst Prote <[email protected]> -// Copyright (C) 2012, 2013-2016 Jason Crain <[email protected]> +// Copyright (C) 2012, 2013-2017 Jason Crain <[email protected]> // Copyright (C) 2012 Peter Breitenlohner <[email protected]> // Copyright (C) 2013 José Aliste <[email protected]> // Copyright (C) 2013 Thomas Freitag <[email protected]> @@ -889,12 +889,12 @@ void TextPool::addWord(TextWord *word) { TextWord *w0, *w1; // expand the array if needed - if (unlikely((word->base / textPoolStep) > INT_MAX)) { - error(errSyntaxWarning, -1, "word->base / textPoolStep > INT_MAX"); + wordBaseIdx = (int)(word->base / textPoolStep); + if (unlikely(wordBaseIdx <= INT_MIN + 128 || wordBaseIdx >= INT_MAX - 128)) { + error(errSyntaxWarning, -1, "wordBaseIdx out of range"); delete word; return; } - wordBaseIdx = (int)(word->base / textPoolStep); if (minBaseIdx > maxBaseIdx) { minBaseIdx = wordBaseIdx - 128; maxBaseIdx = wordBaseIdx + 128;
_______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
