splash/SplashXPath.cc | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)
New commits: commit 2f5ad138924ce4e236455b0e4493d4d869c76397 Author: Albert Astals Cid <[email protected]> Date: Thu Oct 4 19:44:12 2018 +0200 SplashXPath: check for overflow fixes oss-fuzz/10806 diff --git a/splash/SplashXPath.cc b/splash/SplashXPath.cc index bb09a6bf..47f3f1dd 100644 --- a/splash/SplashXPath.cc +++ b/splash/SplashXPath.cc @@ -12,7 +12,7 @@ // under GPL version 2 or later // // Copyright (C) 2010 Paweł Wiejacha <[email protected]> -// Copyright (C) 2010, 2011 Albert Astals Cid <[email protected]> +// Copyright (C) 2010, 2011, 2018 Albert Astals Cid <[email protected]> // Copyright (C) 2013 Thomas Freitag <[email protected]> // Copyright (C) 2017 Adrian Johnson <[email protected]> // @@ -31,6 +31,7 @@ #include <string.h> #include <algorithm> #include "goo/gmem.h" +#include "goo/GooLikely.h" #include "SplashMath.h" #include "SplashPath.h" #include "SplashXPath.h" @@ -272,7 +273,11 @@ void SplashXPath::grow(int nSegs) { while (size < length + nSegs) { size *= 2; } - segs = (SplashXPathSeg *)greallocn(segs, size, sizeof(SplashXPathSeg)); + segs = (SplashXPathSeg *)greallocn_checkoverflow(segs, size, sizeof(SplashXPathSeg)); + if (unlikely(!segs)) { + length = 0; + size = 0; + } } } @@ -397,6 +402,8 @@ void SplashXPath::addCurve(SplashCoord x0, SplashCoord y0, void SplashXPath::addSegment(SplashCoord x0, SplashCoord y0, SplashCoord x1, SplashCoord y1) { grow(1); + if (unlikely(!segs)) + return; segs[length].x0 = x0; segs[length].y0 = y0; segs[length].x1 = x1; _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
