summaryrefslogtreecommitdiff
authorAlbert Astals Cid <aacid@kde.org>2010-09-21 18:15:25 (GMT)
committer Albert Astals Cid <aacid@kde.org>2010-09-21 18:15:25 (GMT)
commit2fe825deac055be82b220d0127169cb3d61387a8 (patch) (side-by-side diff)
treecf4f32a45d186deacc5962826513a6186a66cf6a
parent473de6f88a055bb03470b4af5fa584be8cb5fda4 (diff)
downloadpoppler-2fe825deac055be82b220d0127169cb3d61387a8.zip
poppler-2fe825deac055be82b220d0127169cb3d61387a8.tar.gz
Make sure obj1 is a num before reading it
Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--poppler/Gfx.cc20
1 files changed, 16 insertions, 4 deletions
diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 7b85d79..76dae02 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -4235,8 +4235,14 @@ void Gfx::doForm(Object *str) {
}
for (i = 0; i < 4; ++i) {
bboxObj.arrayGet(i, &obj1);
- bbox[i] = obj1.getNum();
- obj1.free();
+ if (likely(obj1.isNum())) {
+ bbox[i] = obj1.getNum();
+ obj1.free();
+ } else {
+ obj1.free();
+ error(getPos(), "Bad form bounding box value");
+ return;
+ }
}
bboxObj.free();
@@ -4666,8 +4672,14 @@ void Gfx::drawAnnot(Object *str, AnnotBorder *border, AnnotColor *aColor,
}
for (i = 0; i < 4; ++i) {
bboxObj.arrayGet(i, &obj1);
- bbox[i] = obj1.getNum();
- obj1.free();
+ if (likely(obj1.isNum())) {
+ bbox[i] = obj1.getNum();
+ obj1.free();
+ } else {
+ obj1.free();
+ error(getPos(), "Bad form bounding box value");
+ return;
+ }
}
bboxObj.free();