summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEven Rouault <even.rouault@spatialys.com>2024-02-20 20:44:04 +0100
committerAlbert Astals Cid <aacid@kde.org>2024-02-20 22:02:42 +0000
commit3d8dac5ec9f1cdedada07c4c2fc02e43d5e14f9e (patch)
treef4d4257ed02b5362ab18adcf6e7360587ca943a2
parent8d66d756dad4fbde0cd1b8b0f1ce8b08caa7a19d (diff)
Gfx::doImage(): avoid integer overflow if width * height > INT_MAX
Related to https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66523
-rw-r--r--poppler/Gfx.cc2
1 files changed, 1 insertions, 1 deletions
diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 03465ae7..b1a030dc 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -4222,7 +4222,7 @@ void Gfx::doImage(Object *ref, Stream *str, bool inlineImg)
goto err1;
}
- if (width < 1 || height < 1) {
+ if (width < 1 || height < 1 || width > INT_MAX / height) {
goto err1;
}