diff options
author | Albert Astals Cid <aacid@kde.org> | 2010-09-21 19:15:25 +0100 |
---|---|---|
committer | Albert Astals Cid <aacid@kde.org> | 2010-09-21 19:15:25 +0100 |
commit | 2fe825deac055be82b220d0127169cb3d61387a8 (patch) | |
tree | cf4f32a45d186deacc5962826513a6186a66cf6a | |
parent | 473de6f88a055bb03470b4af5fa584be8cb5fda4 (diff) |
Make sure obj1 is a num before reading it
Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group
-rw-r--r-- | poppler/Gfx.cc | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index 7b85d79a..76dae024 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -4235,8 +4235,14 @@ void Gfx::doForm(Object *str) { } for (i = 0; i < 4; ++i) { bboxObj.arrayGet(i, &obj1); - bbox[i] = obj1.getNum(); - obj1.free(); + if (likely(obj1.isNum())) { + bbox[i] = obj1.getNum(); + obj1.free(); + } else { + obj1.free(); + error(getPos(), "Bad form bounding box value"); + return; + } } bboxObj.free(); @@ -4666,8 +4672,14 @@ void Gfx::drawAnnot(Object *str, AnnotBorder *border, AnnotColor *aColor, } for (i = 0; i < 4; ++i) { bboxObj.arrayGet(i, &obj1); - bbox[i] = obj1.getNum(); - obj1.free(); + if (likely(obj1.isNum())) { + bbox[i] = obj1.getNum(); + obj1.free(); + } else { + obj1.free(); + error(getPos(), "Bad form bounding box value"); + return; + } } bboxObj.free(); |