diff options
author | Jason Crain <jason@inspiresomeone.us> | 2017-10-05 15:32:13 -0500 |
---|---|---|
committer | Albert Astals Cid <aacid@kde.org> | 2017-10-13 00:42:32 +0200 |
commit | 7ee9dadef37b20bca707a6b1e858e17d191e368b (patch) | |
tree | 999b4ef4b0e914c1d6062dedac5b4db4661f3d4e | |
parent | 369cd504e70e55378c6395355056fa8676679e56 (diff) |
TextOutputDev: Fix crash in fuzzed file
This file crashes pdftotext because it positions texts past INT_MIN,
leading to overflow in subsequent calculations.
Bug #103116
-rw-r--r-- | poppler/TextOutputDev.cc | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/poppler/TextOutputDev.cc b/poppler/TextOutputDev.cc index d30874cf..14002407 100644 --- a/poppler/TextOutputDev.cc +++ b/poppler/TextOutputDev.cc @@ -30,7 +30,7 @@ // Copyright (C) 2010 Suzuki Toshiya <mpsuzuki@hiroshima-u.ac.jp> // Copyright (C) 2011 Sam Liao <phyomh@gmail.com> // Copyright (C) 2012 Horst Prote <prote@fmi.uni-stuttgart.de> -// Copyright (C) 2012, 2013-2016 Jason Crain <jason@aquaticape.us> +// Copyright (C) 2012, 2013-2017 Jason Crain <jason@aquaticape.us> // Copyright (C) 2012 Peter Breitenlohner <peb@mppmu.mpg.de> // Copyright (C) 2013 José Aliste <jaliste@src.gnome.org> // Copyright (C) 2013 Thomas Freitag <Thomas.Freitag@alfa.de> @@ -889,12 +889,12 @@ void TextPool::addWord(TextWord *word) { TextWord *w0, *w1; // expand the array if needed - if (unlikely((word->base / textPoolStep) > INT_MAX)) { - error(errSyntaxWarning, -1, "word->base / textPoolStep > INT_MAX"); + wordBaseIdx = (int)(word->base / textPoolStep); + if (unlikely(wordBaseIdx <= INT_MIN + 128 || wordBaseIdx >= INT_MAX - 128)) { + error(errSyntaxWarning, -1, "wordBaseIdx out of range"); delete word; return; } - wordBaseIdx = (int)(word->base / textPoolStep); if (minBaseIdx > maxBaseIdx) { minBaseIdx = wordBaseIdx - 128; maxBaseIdx = wordBaseIdx + 128; |