poppler/XRef.cc | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
New commits: commit dbe330678766d1260d7f595d238e90aeae1194d6 Author: Albert Astals Cid <[email protected]> Date: Tue May 22 19:31:34 2018 +0200 XRef::constructXRef: Prevent overflow when calculating newSize fixes oss-fuzz/8421 diff --git a/poppler/XRef.cc b/poppler/XRef.cc index 25bc18a4..089c2eb2 100644 --- a/poppler/XRef.cc +++ b/poppler/XRef.cc @@ -866,7 +866,6 @@ GBool XRef::constructXRef(GBool *wasReconstructed, GBool needCatalogDict) { char buf[256]; Goffset pos; int num, gen; - int newSize; int streamEndsSize; char *p; GBool gotRoot; @@ -961,7 +960,11 @@ GBool XRef::constructXRef(GBool *wasReconstructed, GBool needCatalogDict) { while (*p && isspace(*p & 0xff)) ++p; if (!strncmp(p, "obj", 3)) { if (num >= size) { - newSize = (num + 1 + 255) & ~255; + if (unlikely(num >= INT_MAX - 1 - 255)) { + error(errSyntaxError, -1, "Bad object number"); + return gFalse; + } + const int newSize = (num + 1 + 255) & ~255; if (newSize < 0) { error(errSyntaxError, -1, "Bad object number"); return gFalse; _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
