poppler/XRef.cc | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)
New commits: commit 42d8d7ffd8b5393dc3103a45932b70bc8ca61c2e Author: Albert Astals Cid <[email protected]> Date: Wed Nov 22 21:50:24 2017 +0100 Open files that state 8 bits as third field of W Even we only really accept 32 bits since it is really strange to have more than 2^31 generations Bug #103469 diff --git a/poppler/XRef.cc b/poppler/XRef.cc index e37d5494..f04a31fc 100644 --- a/poppler/XRef.cc +++ b/poppler/XRef.cc @@ -734,7 +734,7 @@ GBool XRef::readXRefStream(Stream *xrefStr, Goffset *pos) { return gFalse; } } - if (w[0] > (int)sizeof(int) || w[1] > (int)sizeof(long long) || w[2] > (int)sizeof(int)) { + if (w[0] > (int)sizeof(int) || w[1] > (int)sizeof(long long) || w[2] > (int)sizeof(long long)) { return gFalse; } @@ -782,8 +782,8 @@ GBool XRef::readXRefStream(Stream *xrefStr, Goffset *pos) { } GBool XRef::readXRefStreamSection(Stream *xrefStr, int *w, int first, int n) { - unsigned long long offset; - int type, gen, c, i, j; + unsigned long long offset, gen; + int type, c, i, j; if (first + n < 0) { return gFalse; @@ -825,6 +825,10 @@ GBool XRef::readXRefStreamSection(Stream *xrefStr, int *w, int first, int n) { } gen = (gen << 8) + c; } + if (gen > INT_MAX) { + error(errSyntaxError, -1, "Gen inside xref table too large (bigger than INT_MAX)"); + return gFalse; + } if (entries[i].offset == -1) { switch (type) { case 0: _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
