[poppler] poppler/TextOutputDev.cc

Tue, 19 Feb 2019 08:05:43 -0800 

 poppler/TextOutputDev.cc |   19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

New commits:
commit 69d86f90e30785a0db76d3898914de4c0782b947
Author: Albert Astals Cid <[email protected]>
Date:   Tue Feb 19 16:18:48 2019 +0100

    TextOutputDev: Fix assert in broken file
    
    oss-fuzz/13203

diff --git a/poppler/TextOutputDev.cc b/poppler/TextOutputDev.cc
index c3367883..dcb6ccb1 100644
--- a/poppler/TextOutputDev.cc
+++ b/poppler/TextOutputDev.cc
@@ -20,7 +20,7 @@
 // Copyright (C) 2006 Jeff Muizelaar <[email protected]>
 // Copyright (C) 2007, 2008, 2012, 2017 Adrian Johnson <[email protected]>
 // Copyright (C) 2008 Koji Otani <[email protected]>
-// Copyright (C) 2008, 2010-2012, 2014-2018 Albert Astals Cid <[email protected]>
+// Copyright (C) 2008, 2010-2012, 2014-2019 Albert Astals Cid <[email protected]>
 // Copyright (C) 2008 Pino Toscano <[email protected]>
 // Copyright (C) 2008, 2010 Hib Eris <[email protected]>
 // Copyright (C) 2009 Ross Moore <[email protected]>
@@ -876,16 +876,14 @@ TextPool::~TextPool() {
 }
 
 int TextPool::getBaseIdx(double base) {
-  int baseIdx;
-
-  baseIdx = (int)(base / textPoolStep);
-  if (baseIdx < minBaseIdx) {
+  const double baseIdxDouble = base / textPoolStep;
+  if (baseIdxDouble < minBaseIdx) {
     return minBaseIdx;
   }
-  if (baseIdx > maxBaseIdx) {
+  if (baseIdxDouble > maxBaseIdx) {
     return maxBaseIdx;
   }
-  return baseIdx;
+  return (int)baseIdxDouble;
 }
 
 void TextPool::addWord(TextWord *word) {
@@ -910,8 +908,13 @@ void TextPool::addWord(TextWord *word) {
     }
   } else if (wordBaseIdx < minBaseIdx) {
     newMinBaseIdx = wordBaseIdx - 128;
-    newPool = (TextWord **)gmallocn(maxBaseIdx - newMinBaseIdx + 1,
+    newPool = (TextWord **)gmallocn_checkoverflow(maxBaseIdx - newMinBaseIdx + 
1,
                                    sizeof(TextWord *));
+    if (unlikely(!newPool)) {
+      error(errSyntaxWarning, -1, "newPool would overflow");
+      delete word;
+      return;
+    }
     for (baseIdx = newMinBaseIdx; baseIdx < minBaseIdx; ++baseIdx) {
       newPool[baseIdx - newMinBaseIdx] = nullptr;
     }
_______________________________________________
poppler mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/poppler

Reply via email to