poppler/JBIG2Stream.cc | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-)
New commits: commit 69b2bb9bb0b9ed52f25f4471ee161a4ce15deb23 Author: Even Rouault <[email protected]> Date: Sat Aug 21 00:05:55 2021 +0200 JBIG2Stream.cc: use gmallocn_checkoverflow() instead of gmallocn() This should hopefully fix the crash of https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29638 (on the GDAL project in its PDF driver), although I didn't manage to reproduce it with the reproducer attached to the ticket The mentioned stack trace was: ``` 0 0xf7ef2b19 in [vdso] 1 0xf7cc1d08 in raise 2 0xf7cc3206 in abort 3 0xbec0a39 in gmalloc(unsigned int, bool) gdal/poppler/goo/gmem.h:52:5 4 0xbef9a06 in gmallocn(int, int, bool) gdal/poppler/goo/gmem.h:119:12 5 0xc211923 in JBIG2Stream::readSymbolDictSeg(unsigned int, unsigned int, unsigned int*, unsigned int) gdal/poppler/poppler/JBIG2Stream.cc:1650:37 6 0xc20e607 in JBIG2Stream::readSegments() gdal/poppler/poppler/JBIG2Stream.cc:1331:18 7 0xc20d72f in JBIG2Stream::reset() gdal/poppler/poppler/JBIG2Stream.cc:1171:5 ``` diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc index 725b2cf9..78c273dd 100644 --- a/poppler/JBIG2Stream.cc +++ b/poppler/JBIG2Stream.cc @@ -1284,7 +1284,10 @@ void JBIG2Stream::readSegments() } // referred-to segment numbers - refSegs = (unsigned int *)gmallocn(nRefSegs, sizeof(unsigned int)); + refSegs = (unsigned int *)gmallocn_checkoverflow(nRefSegs, sizeof(unsigned int)); + if (nRefSegs > 0 && !refSegs) { + return; + } if (segNum <= 256) { for (unsigned int i = 0; i < nRefSegs; ++i) { if (!readUByte(&refSegs[i])) { @@ -1654,7 +1657,10 @@ bool JBIG2Stream::readSymbolDictSeg(unsigned int segNum, unsigned int length, un // allocate symbol widths storage if (huff && !refAgg) { - symWidths = (unsigned int *)gmallocn(numNewSyms, sizeof(unsigned int)); + symWidths = (unsigned int *)gmallocn_checkoverflow(numNewSyms, sizeof(unsigned int)); + if (numNewSyms > 0 && !symWidths) { + goto syntaxError; + } } symHeight = 0; @@ -1985,7 +1991,10 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless } // get the symbol bitmaps - syms = (JBIG2Bitmap **)gmallocn(numSyms, sizeof(JBIG2Bitmap *)); + syms = (JBIG2Bitmap **)gmallocn_checkoverflow(numSyms, sizeof(JBIG2Bitmap *)); + if (numSyms > 0 && !syms) { + return; + } kk = 0; for (i = 0; i < nRefSegs; ++i) { if ((seg = findSegment(refSegs[i]))) { @@ -2113,7 +2122,11 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless } if (huff) { - symCodeTab = (JBIG2HuffmanTable *)gmallocn(numSyms + 1, sizeof(JBIG2HuffmanTable)); + symCodeTab = (JBIG2HuffmanTable *)gmallocn_checkoverflow(numSyms + 1, sizeof(JBIG2HuffmanTable)); + if (!symCodeTab) { + gfree(syms); + return; + } for (i = 0; i < numSyms; ++i) { symCodeTab[i].val = i; symCodeTab[i].rangeLen = 0; @@ -2607,7 +2620,10 @@ void JBIG2Stream::readHalftoneRegionSeg(unsigned int segNum, bool imm, bool loss } // read the gray-scale image - grayImg = (unsigned int *)gmallocn(gridW * gridH, sizeof(unsigned int)); + grayImg = (unsigned int *)gmallocn_checkoverflow(gridW * gridH, sizeof(unsigned int)); + if (!grayImg) { + return; + } memset(grayImg, 0, gridW * gridH * sizeof(unsigned int)); atx[0] = templ <= 1 ? 3 : 2; aty[0] = -1;
