poppler/ImageEmbeddingUtils.cc | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-)
New commits: commit 27466086ec5c4ca1a15684d034b6a27e76fe8ba6 Author: Albert Astals Cid <[email protected]> Date: Tue Nov 30 00:24:28 2021 +0100 PngEmbedder::embedImage: Make sure we don't overflow doing the multiplications diff --git a/poppler/ImageEmbeddingUtils.cc b/poppler/ImageEmbeddingUtils.cc index 4abdfc35..5c50f126 100644 --- a/poppler/ImageEmbeddingUtils.cc +++ b/poppler/ImageEmbeddingUtils.cc @@ -23,6 +23,7 @@ extern "C" { #include "ImageEmbeddingUtils.h" #include "goo/gmem.h" +#include "goo/GooCheckedOps.h" #include "Object.h" #include "Array.h" #include "Error.h" @@ -256,9 +257,24 @@ public: Ref PngEmbedder::embedImage(XRef *xref) { // Read pixels. - const Goffset mainBufferSize = m_width * m_height * m_nWithoutAlpha * m_byteDepth; + Goffset area; + if (checkedMultiply(static_cast<Goffset>(m_width), static_cast<Goffset>(m_height), &area)) { + error(errIO, -1, "PngEmbedder::embedImage: width * height overflows Goffset"); + return Ref::INVALID(); + } + Goffset maskBufferSize; + static_assert(sizeof(Goffset) >= sizeof(m_byteDepth)); + if (checkedMultiply(area, static_cast<Goffset>(m_byteDepth), &maskBufferSize)) { + error(errIO, -1, "PngEmbedder::embedImage: width * height * m_byteDepth overflows Goffset"); + return Ref::INVALID(); + } + Goffset mainBufferSize; + static_assert(sizeof(Goffset) >= sizeof(m_nWithoutAlpha)); + if (checkedMultiply(maskBufferSize, static_cast<Goffset>(m_nWithoutAlpha), &mainBufferSize)) { + error(errIO, -1, "PngEmbedder::embedImage: width * height * m_byteDepth * m_nWithoutAlpha overflows Goffset"); + return Ref::INVALID(); + } png_bytep mainBuffer = (png_bytep)gmalloc(mainBufferSize); - const Goffset maskBufferSize = m_width * m_height * m_byteDepth; png_bytep maskBuffer = (m_hasAlpha) ? (png_bytep)gmalloc(maskBufferSize) : nullptr; readPixels(mainBuffer, maskBuffer);
