poppler/Gfx.cc | 5 +++-- poppler/Stream.cc | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-)
New commits: commit 4becde57a2fdfd095e400dd9ef64e64d5e94f858 Author: Albert Astals Cid <aa...@kde.org> Date: Fri Jan 15 16:08:15 2021 +0100 CCITTFaxStream: Fix uninitialized memory read in broken files oss-fuzz/8795 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 666d5b2a..a1c8b094 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -1893,7 +1893,7 @@ inline void CCITTFaxStream::addPixelsNeg(int a1, int blackPixels) if (a1 < 0) { error(errSyntaxError, getPos(), "Invalid CCITTFax code"); err = true; - a1 = 0; + a1 = columns; } while (a0i > 0 && a1 <= codingLine[a0i - 1]) { --a0i; commit c0f34e983761b15e2c9d5fa6628f26fa7d362548 Author: Albert Astals Cid <aa...@kde.org> Date: Fri Jan 15 16:04:46 2021 +0100 Relax the check in Gfx::opSetFillGray diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index 44575569..34a02d53 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -1310,7 +1310,7 @@ void Gfx::opSetFillGray(Object args[], int numArgs) if (!obj.isNull()) { colorSpace = GfxColorSpace::parse(res, &obj, out, state); } - if (colorSpace == nullptr || colorSpace->getNComps() != 1) { + if (colorSpace == nullptr || colorSpace->getNComps() > 1) { delete colorSpace; colorSpace = state->copyDefaultGrayColorSpace(); } commit 548fe49fa53ff0ff63bc1a437ab04908f866cb87 Author: Albert Astals Cid <aa...@kde.org> Date: Fri Jan 15 16:01:01 2021 +0100 Gfx::opSetFillRGBColor: Fix uninitialized memory read in bad files Make sure colorspace doesn't need more comps than we have oss-fuzz/29522 diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index 694538cf..44575569 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -1398,7 +1398,8 @@ void Gfx::opSetFillRGBColor(Object args[], int numArgs) if (!obj.isNull()) { colorSpace = GfxColorSpace::parse(res, &obj, out, state); } - if (colorSpace == nullptr) { + if (colorSpace == nullptr || colorSpace->getNComps() > 3) { + delete colorSpace; colorSpace = state->copyDefaultRGBColorSpace(); } state->setFillColorSpace(colorSpace); _______________________________________________ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler