Check obj1 is a stream before getting the stream

It seems we already did this check a few lines above, and indeed we did,
but on very broken documents, if arr[1] is a Ref, getting objects may
end up in a reconstruct xref call which may end up changing the type of
arr[1] the next time we ask for it

oss-fuzz/29260

1 files changed, 5 insertions, 1 deletions

diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index cffa7c43..a9ce7a89 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -16,7 +16,7 @@
 // Copyright (C) 2005 Kristian Høgsberg <krh@redhat.com>
 // Copyright (C) 2006, 2007 Jeff Muizelaar <jeff@infidigm.net>
 // Copyright (C) 2006, 2010 Carlos Garcia Campos <carlosgc@gnome.org>
-// Copyright (C) 2006-2020 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2006-2021 Albert Astals Cid <aacid@kde.org>
 // Copyright (C) 2009, 2012 Koji Otani <sho@bbr.jp>
 // Copyright (C) 2009, 2011-2016, 2020 Thomas Freitag <Thomas.Freitag@alfa.de>
 // Copyright (C) 2009, 2019 Christian Persch <chpe@gnome.org>
@@ -1713,6 +1713,10 @@ GfxColorSpace *GfxICCBasedColorSpace::parse(Array *arr, OutputDev *out, GfxState
 
 #ifdef USE_CMS
     obj1 = arr->get(1);
+    if (!obj1.isStream()) {
+        error(errSyntaxWarning, -1, "Bad ICCBased color space (stream)");
+        return nullptr;
+    }
     unsigned char *profBuf;
     Stream *iccStream = obj1.getStream();
     int length = 0;