goo/gmem.h | 12 ++++++++---- poppler/TextOutputDev.cc | 13 +++++++++---- 2 files changed, 17 insertions(+), 8 deletions(-)
New commits: commit e69dc7a5a44c1c3fb97023d44e9e99a2bca75a46 Author: Albert Astals Cid <[email protected]> Date: Wed Jul 3 16:18:43 2019 +0200 TextOuputDev: Fix crash when grealloc would overflow Introduces a new greallocn variant that doesn't free the pointer passed in case of error, since the pointer holds pointers inside, that would lead to leak of all those pointers diff --git a/goo/gmem.h b/goo/gmem.h index 9b187c1d..2eb88be7 100644 --- a/goo/gmem.h +++ b/goo/gmem.h @@ -14,7 +14,7 @@ // under GPL version 2 or later // // Copyright (C) 2005 Takashi Iwai <[email protected]> -// Copyright (C) 2007-2010, 2017 Albert Astals Cid <[email protected]> +// Copyright (C) 2007-2010, 2017, 2019 Albert Astals Cid <[email protected]> // Copyright (C) 2008 Jonathan Kew <[email protected]> // Copyright (C) 2018 Adam Reichold <[email protected]> // @@ -139,9 +139,11 @@ inline void *gmallocn3(int width, int height, int size, bool checkoverflow = fal return gmalloc(bytes, checkoverflow); } -inline void *greallocn(void *p, int count, int size, bool checkoverflow = false) { +inline void *greallocn(void *p, int count, int size, bool checkoverflow = false, bool free_p = true) { if (count == 0) { - gfree(p); + if (free_p) { + gfree(p); + } return nullptr; } @@ -150,7 +152,9 @@ inline void *greallocn(void *p, int count, int size, bool checkoverflow = false) std::fputs("Bogus memory allocation size\n", stderr); if (checkoverflow) { - gfree(p); + if (free_p) { + gfree(p); + } return nullptr; } diff --git a/poppler/TextOutputDev.cc b/poppler/TextOutputDev.cc index 6cb1d9aa..e62e088c 100644 --- a/poppler/TextOutputDev.cc +++ b/poppler/TextOutputDev.cc @@ -887,7 +887,6 @@ int TextPool::getBaseIdx(double base) { } void TextPool::addWord(TextWord *word) { - TextWord **newPool; int wordBaseIdx, newMinBaseIdx, newMaxBaseIdx, baseIdx; TextWord *w0, *w1; @@ -908,7 +907,7 @@ void TextPool::addWord(TextWord *word) { } } else if (wordBaseIdx < minBaseIdx) { newMinBaseIdx = wordBaseIdx - 128; - newPool = (TextWord **)gmallocn_checkoverflow(maxBaseIdx - newMinBaseIdx + 1, + TextWord **newPool = (TextWord **)gmallocn_checkoverflow(maxBaseIdx - newMinBaseIdx + 1, sizeof(TextWord *)); if (unlikely(!newPool)) { error(errSyntaxWarning, -1, "newPool would overflow"); @@ -925,8 +924,14 @@ void TextPool::addWord(TextWord *word) { minBaseIdx = newMinBaseIdx; } else if (wordBaseIdx > maxBaseIdx) { newMaxBaseIdx = wordBaseIdx + 128; - pool = (TextWord **)greallocn(pool, newMaxBaseIdx - minBaseIdx + 1, - sizeof(TextWord *)); + TextWord **reallocatedPool = (TextWord **)greallocn(pool, newMaxBaseIdx - minBaseIdx + 1, + sizeof(TextWord *), true /*checkoverflow*/, false /*free_pool*/); + if (!reallocatedPool) { + error(errSyntaxWarning, -1, "new pool size would overflow"); + delete word; + return; + } + pool = reallocatedPool; for (baseIdx = maxBaseIdx + 1; baseIdx <= newMaxBaseIdx; ++baseIdx) { pool[baseIdx - minBaseIdx] = nullptr; } _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
