Check numComps is between reasonable bounds

Before this patch, some PDF might crash because of an overflow if numComps does not lie between 0 and 4. This is a security fix for CVE-2017-0319.
author: Jose Aliste <jaliste@src.gnome.org> 2017-05-16 18:44:49 -0400
committer: Albert Astals Cid <aacid@kde.org> 2017-06-21 22:31:20 +0200
commit: 3a2759aa2a98c2157cb35731b95e393b8882f8d3 (patch)
tree: 2532bbc3b692fa2315b767be0933879aebbf2a9b
parent: d9c88e1c8892c79b8865a0dabdcc0d3ffd55c195 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index d93c560e..e3d5cf6a 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -32,6 +32,7 @@
 // Copyright (C) 2013 Pino Toscano <pino@kde.org>
 // Copyright (C) 2015 Suzuki Toshiya <mpsuzuki@hiroshima-u.ac.jp>
 // Copyright (C) 2015 Jason Crain <jason@aquaticape.us>
+// Copyright (C) 2017 Jose Aliste <jaliste@src.gnome.org>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -3585,6 +3586,12 @@ GBool DCTStream::readProgressiveSOF() {
   height = read16();
   width = read16();
   numComps = str->getChar();
+
+  if (numComps <= 0 || numComps > 4) {
+    error(errSyntaxError, getPos(), "Bad number of components in DCT stream");
+    numComps = 0;
+    return gFalse;
+  }
   if (prec != 8) {
     error(errSyntaxError, getPos(), "Bad DCT precision {0:d}", prec);
     return gFalse;
author	Jose Aliste <jaliste@src.gnome.org>	2017-05-16 18:44:49 -0400
committer	Albert Astals Cid <aacid@kde.org>	2017-06-21 22:31:20 +0200
commit	3a2759aa2a98c2157cb35731b95e393b8882f8d3 (patch)
tree	2532bbc3b692fa2315b767be0933879aebbf2a9b
parent	d9c88e1c8892c79b8865a0dabdcc0d3ffd55c195 (diff)