summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJason Crain <jason@inspiresomeone.us>2017-10-05 15:32:13 -0500
committerAlbert Astals Cid <aacid@kde.org>2017-10-13 00:42:32 +0200
commit7ee9dadef37b20bca707a6b1e858e17d191e368b (patch)
tree999b4ef4b0e914c1d6062dedac5b4db4661f3d4e
parent369cd504e70e55378c6395355056fa8676679e56 (diff)
TextOutputDev: Fix crash in fuzzed file
This file crashes pdftotext because it positions texts past INT_MIN, leading to overflow in subsequent calculations. Bug #103116
-rw-r--r--poppler/TextOutputDev.cc8
1 files changed, 4 insertions, 4 deletions
diff --git a/poppler/TextOutputDev.cc b/poppler/TextOutputDev.cc
index d30874cf..14002407 100644
--- a/poppler/TextOutputDev.cc
+++ b/poppler/TextOutputDev.cc
@@ -30,7 +30,7 @@
// Copyright (C) 2010 Suzuki Toshiya <mpsuzuki@hiroshima-u.ac.jp>
// Copyright (C) 2011 Sam Liao <phyomh@gmail.com>
// Copyright (C) 2012 Horst Prote <prote@fmi.uni-stuttgart.de>
-// Copyright (C) 2012, 2013-2016 Jason Crain <jason@aquaticape.us>
+// Copyright (C) 2012, 2013-2017 Jason Crain <jason@aquaticape.us>
// Copyright (C) 2012 Peter Breitenlohner <peb@mppmu.mpg.de>
// Copyright (C) 2013 José Aliste <jaliste@src.gnome.org>
// Copyright (C) 2013 Thomas Freitag <Thomas.Freitag@alfa.de>
@@ -889,12 +889,12 @@ void TextPool::addWord(TextWord *word) {
TextWord *w0, *w1;
// expand the array if needed
- if (unlikely((word->base / textPoolStep) > INT_MAX)) {
- error(errSyntaxWarning, -1, "word->base / textPoolStep > INT_MAX");
+ wordBaseIdx = (int)(word->base / textPoolStep);
+ if (unlikely(wordBaseIdx <= INT_MIN + 128 || wordBaseIdx >= INT_MAX - 128)) {
+ error(errSyntaxWarning, -1, "wordBaseIdx out of range");
delete word;
return;
}
- wordBaseIdx = (int)(word->base / textPoolStep);
if (minBaseIdx > maxBaseIdx) {
minBaseIdx = wordBaseIdx - 128;
maxBaseIdx = wordBaseIdx + 128;