fofi/FoFiTrueType.cc | 3 ++- poppler/GfxState.cc | 6 +++++- poppler/PSOutputDev.cc | 4 ++++ 3 files changed, 11 insertions(+), 2 deletions(-)
New commits: commit 0e6c3ff9bb4390d2b426a4cddbb638c19811055d Author: Albert Astals Cid <[email protected]> Date: Tue Jan 5 00:09:43 2021 +0100 Check obj1 is a stream before getting the stream It seems we already did this check a few lines above, and indeed we did, but on very broken documents, if arr[1] is a Ref, getting objects may end up in a reconstruct xref call which may end up changing the type of arr[1] the next time we ask for it oss-fuzz/29260 diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc index cffa7c43..a9ce7a89 100644 --- a/poppler/GfxState.cc +++ b/poppler/GfxState.cc @@ -16,7 +16,7 @@ // Copyright (C) 2005 Kristian Høgsberg <[email protected]> // Copyright (C) 2006, 2007 Jeff Muizelaar <[email protected]> // Copyright (C) 2006, 2010 Carlos Garcia Campos <[email protected]> -// Copyright (C) 2006-2020 Albert Astals Cid <[email protected]> +// Copyright (C) 2006-2021 Albert Astals Cid <[email protected]> // Copyright (C) 2009, 2012 Koji Otani <[email protected]> // Copyright (C) 2009, 2011-2016, 2020 Thomas Freitag <[email protected]> // Copyright (C) 2009, 2019 Christian Persch <[email protected]> @@ -1713,6 +1713,10 @@ GfxColorSpace *GfxICCBasedColorSpace::parse(Array *arr, OutputDev *out, GfxState #ifdef USE_CMS obj1 = arr->get(1); + if (!obj1.isStream()) { + error(errSyntaxWarning, -1, "Bad ICCBased color space (stream)"); + return nullptr; + } unsigned char *profBuf; Stream *iccStream = obj1.getStream(); int length = 0; commit 3ac779d9a9d2c63433d3765c82a2724947d86a15 Author: Albert Astals Cid <[email protected]> Date: Mon Jan 4 23:54:52 2021 +0100 FoFiTrueType::parse: If we don't have tables parsing didn't succeed oss-fuzz/29217 diff --git a/fofi/FoFiTrueType.cc b/fofi/FoFiTrueType.cc index ce462c1e..a1396c55 100644 --- a/fofi/FoFiTrueType.cc +++ b/fofi/FoFiTrueType.cc @@ -16,7 +16,7 @@ // Copyright (C) 2006 Takashi Iwai <[email protected]> // Copyright (C) 2007 Koji Otani <[email protected]> // Copyright (C) 2007 Carlos Garcia Campos <[email protected]> -// Copyright (C) 2008, 2009, 2012, 2014-2020 Albert Astals Cid <[email protected]> +// Copyright (C) 2008, 2009, 2012, 2014-2021 Albert Astals Cid <[email protected]> // Copyright (C) 2008 Tomas Are Haavet <[email protected]> // Copyright (C) 2012 Suzuki Toshiya <[email protected]> // Copyright (C) 2012, 2017 Adrian Johnson <[email protected]> @@ -1529,6 +1529,7 @@ void FoFiTrueType::parse() tables = (TrueTypeTable *)greallocn_checkoverflow(tables, nTables, sizeof(TrueTypeTable)); } if (!parsedOk || tables == nullptr) { + parsedOk = false; return; } commit e4346ae34b24ce84a4aeae539f26cab49497450c Author: Albert Astals Cid <[email protected]> Date: Mon Jan 4 23:39:54 2021 +0100 PSOutputDev: protect against potential divide by 0 oss-fuzz/29241 diff --git a/poppler/PSOutputDev.cc b/poppler/PSOutputDev.cc index 9e88e32c..7e83c94c 100644 --- a/poppler/PSOutputDev.cc +++ b/poppler/PSOutputDev.cc @@ -3734,6 +3734,10 @@ void PSOutputDev::startPage(int pageNum, GfxState *state, XRef *xrefA) xScale = xScale0; yScale = yScale0; } else if ((globalParams->getPSShrinkLarger() && (width > imgWidth2 || height > imgHeight2)) || (globalParams->getPSExpandSmaller() && (width < imgWidth2 && height < imgHeight2))) { + if (unlikely(width == 0)) { + error(errSyntaxError, -1, "width 0, xScale would be infinite"); + return; + } xScale = (double)imgWidth2 / (double)width; yScale = (double)imgHeight2 / (double)height; if (yScale < xScale) { _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
