TextOutputDev: Fix crash in fuzzed file

This file crashes pdftotext because it positions texts past INT_MIN,
leading to overflow in subsequent calculations.

Bug #103116

1 files changed, 4 insertions, 4 deletions

diff --git a/poppler/TextOutputDev.cc b/poppler/TextOutputDev.cc
index d30874cf..14002407 100644
--- a/poppler/TextOutputDev.cc
+++ b/poppler/TextOutputDev.cc
@@ -30,7 +30,7 @@
 // Copyright (C) 2010 Suzuki Toshiya <mpsuzuki@hiroshima-u.ac.jp>
 // Copyright (C) 2011 Sam Liao <phyomh@gmail.com>
 // Copyright (C) 2012 Horst Prote <prote@fmi.uni-stuttgart.de>
-// Copyright (C) 2012, 2013-2016 Jason Crain <jason@aquaticape.us>
+// Copyright (C) 2012, 2013-2017 Jason Crain <jason@aquaticape.us>
 // Copyright (C) 2012 Peter Breitenlohner <peb@mppmu.mpg.de>
 // Copyright (C) 2013 José Aliste <jaliste@src.gnome.org>
 // Copyright (C) 2013 Thomas Freitag <Thomas.Freitag@alfa.de>
@@ -889,12 +889,12 @@ void TextPool::addWord(TextWord *word) {
   TextWord *w0, *w1;
 
   // expand the array if needed
-  if (unlikely((word->base / textPoolStep) > INT_MAX)) {
-      error(errSyntaxWarning, -1, "word->base / textPoolStep > INT_MAX");
+  wordBaseIdx = (int)(word->base / textPoolStep);
+  if (unlikely(wordBaseIdx <= INT_MIN + 128 || wordBaseIdx >= INT_MAX - 128)) {
+      error(errSyntaxWarning, -1, "wordBaseIdx out of range");
       delete word;
       return;
   }
-  wordBaseIdx = (int)(word->base / textPoolStep);
   if (minBaseIdx > maxBaseIdx) {
     minBaseIdx = wordBaseIdx - 128;
     maxBaseIdx = wordBaseIdx + 128;