SplashOutputDev::drawImage(): Fix abort() in failed gmallocn

Fail following crash on reproducer test case of https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27810 Crash stack on ``pdftoppm -png clusterfuzz-testcase-minimized-gdal_fuzzer-5753490332450816.fuzz`` is: ``` 0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 1 0x00007ffff7746859 in __GI_abort () at abort.c:79 2 0x00007ffff7cff44e in gmallocn (count=count@entry=1073741824, size=size@entry=3, checkoverflow=checkoverflow@entry=false) at /home/even/poppler/goo/gmem.h:116 3 0x00007ffff7e584d4 in SplashOutputDev::drawImage (this=0x5555555b6b00, state=0x5555555bb360, ref=<optimized out>, str=0x5555555dc6e0, width=19, height=<optimized out>, colorMap=0x7fffffffd2c0, interpolate=false, maskColors=0x0, inlineImg=false) at /home/even/poppler/poppler/SplashOutputDev.cc:3286 4 0x00007ffff7d764a6 in Gfx::doImage (this=this@entry=0x5555555b9460, ref=ref@entry=0x7fffffffd820, str=<optimized out>, inlineImg=inlineImg@entry=false) at /home/even/poppler/poppler/Gfx.cc:4563 5 0x00007ffff7d773ca in Gfx::opXObject (this=0x5555555b9460, args=<optimized out>, numArgs=<optimized out>) at /home/even/poppler/poppler/Gfx.cc:4105 6 0x00007ffff7d70dc7 in Gfx::go (this=this@entry=0x5555555b9460, topLevel=topLevel@entry=true) at /home/even/poppler/poppler/Gfx.cc:681 0x00007ffff7d711f5 in Gfx::display (this=this@entry=0x5555555b9460, obj=obj@entry=0x7fffffffdc00, topLevel=topLevel@entry=true) at /home/even/poppler/poppler/Gfx.cc:642 8 0x00007ffff7dd2758 in Page::displaySlice (this=0x5555555b5ff0, out=0x5555555b6b00, hDPI=<optimized out>, vDPI=<optimized out>, rotate=<optimized out>, useMediaBox=<optimized out>, crop=<optimized out>, sliceX=<optimized out>, sliceY=0, sliceW=230, sliceH=230, printing=false, abortCheckCbk=0x0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0x55555555a110 <<lambda(Annot*, void*)>::_FUN(Annot *, void *)>, annotDisplayDecideCbkData=0x0, copyXRef=false) at /home/even/poppler/poppler/Page.cc:576 9 0x000055555555a633 in savePageSlice (doc=<optimized out>, splashOut=0x5555555b6b00, pg=1, x=<optimized out>, y=<optimized out>, w=<optimized out>, h=<optimized out>, pg_w=<optimized out>, pg_h=<optimized out>, ppmFile=0x0) at /home/even/poppler/utils/pdftoppm.cc:288 10 0x0000555555559232 in main (argc=<optimized out>, argv=<optimized out>) at /home/even/poppler/utils/pdftoppm.cc:684 ```
author: Even Rouault <even.rouault@spatialys.com> 2021-08-25 21:52:26 +0200
committer: Albert Astals Cid <tsdgeos@yahoo.es> 2021-08-26 07:09:13 +0000
commit: f51d2519590369107c27d0f3a078819e1df889fb (patch)
tree: 5f41a354f765982a43dfe329cadfac77444e86eb /poppler/SplashOutputDev.cc
parent: c92e079ea2954abc6b7005a802ea464ccfae9581 (diff)
1 files changed, 39 insertions, 31 deletions
diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc
index 3fd590b8..eb773479 100644
--- a/poppler/SplashOutputDev.cc
+++ b/poppler/SplashOutputDev.cc
@@ -3274,22 +3274,26 @@ void SplashOutputDev::drawImage(GfxState *state, Object *ref, Stream *str, int w
         switch (colorMode) {
         case splashModeMono1:
         case splashModeMono8:
-            imgData.lookup = (SplashColorPtr)gmalloc(n);
-            for (i = 0; i < n; ++i) {
-                pix = (unsigned char)i;
-                colorMap->getGray(&pix, &gray);
-                imgData.lookup[i] = colToByte(gray);
+            imgData.lookup = (SplashColorPtr)gmalloc_checkoverflow(n);
+            if (likely(imgData.lookup != nullptr)) {
+                for (i = 0; i < n; ++i) {
+                    pix = (unsigned char)i;
+                    colorMap->getGray(&pix, &gray);
+                    imgData.lookup[i] = colToByte(gray);
+                }
             }
             break;
         case splashModeRGB8:
         case splashModeBGR8:
-            imgData.lookup = (SplashColorPtr)gmallocn(n, 3);
-            for (i = 0; i < n; ++i) {
-                pix = (unsigned char)i;
-                colorMap->getRGB(&pix, &rgb);
-                imgData.lookup[3 * i] = colToByte(rgb.r);
-                imgData.lookup[3 * i + 1] = colToByte(rgb.g);
-                imgData.lookup[3 * i + 2] = colToByte(rgb.b);
+            imgData.lookup = (SplashColorPtr)gmallocn_checkoverflow(n, 3);
+            if (likely(imgData.lookup != nullptr)) {
+                for (i = 0; i < n; ++i) {
+                    pix = (unsigned char)i;
+                    colorMap->getRGB(&pix, &rgb);
+                    imgData.lookup[3 * i] = colToByte(rgb.r);
+                    imgData.lookup[3 * i + 1] = colToByte(rgb.g);
+                    imgData.lookup[3 * i + 2] = colToByte(rgb.b);
+                }
             }
             break;
         case splashModeXBGR8:
@@ -3307,32 +3311,36 @@ void SplashOutputDev::drawImage(GfxState *state, Object *ref, Stream *str, int w
             break;
         case splashModeCMYK8:
             grayIndexed = colorMap->getColorSpace()->getMode() != csDeviceGray;
-            imgData.lookup = (SplashColorPtr)gmallocn(n, 4);
-            for (i = 0; i < n; ++i) {
-                pix = (unsigned char)i;
-                colorMap->getCMYK(&pix, &cmyk);
-                if (cmyk.c != 0 || cmyk.m != 0 || cmyk.y != 0) {
-                    grayIndexed = false;
+            imgData.lookup = (SplashColorPtr)gmallocn_checkoverflow(n, 4);
+            if (likely(imgData.lookup != nullptr)) {
+                for (i = 0; i < n; ++i) {
+                    pix = (unsigned char)i;
+                    colorMap->getCMYK(&pix, &cmyk);
+                    if (cmyk.c != 0 || cmyk.m != 0 || cmyk.y != 0) {
+                        grayIndexed = false;
+                    }
+                    imgData.lookup[4 * i] = colToByte(cmyk.c);
+                    imgData.lookup[4 * i + 1] = colToByte(cmyk.m);
+                    imgData.lookup[4 * i + 2] = colToByte(cmyk.y);
+                    imgData.lookup[4 * i + 3] = colToByte(cmyk.k);
                 }
-                imgData.lookup[4 * i] = colToByte(cmyk.c);
-                imgData.lookup[4 * i + 1] = colToByte(cmyk.m);
-                imgData.lookup[4 * i + 2] = colToByte(cmyk.y);
-                imgData.lookup[4 * i + 3] = colToByte(cmyk.k);
             }
             break;
         case splashModeDeviceN8:
             colorMap->getColorSpace()->createMapping(bitmap->getSeparationList(), SPOT_NCOMPS);
             grayIndexed = colorMap->getColorSpace()->getMode() != csDeviceGray;
-            imgData.lookup = (SplashColorPtr)gmallocn(n, SPOT_NCOMPS + 4);
-            for (i = 0; i < n; ++i) {
-                pix = (unsigned char)i;
-                colorMap->getCMYK(&pix, &cmyk);
-                if (cmyk.c != 0 || cmyk.m != 0 || cmyk.y != 0) {
-                    grayIndexed = false;
+            imgData.lookup = (SplashColorPtr)gmallocn_checkoverflow(n, SPOT_NCOMPS + 4);
+            if (likely(imgData.lookup != nullptr)) {
+                for (i = 0; i < n; ++i) {
+                    pix = (unsigned char)i;
+                    colorMap->getCMYK(&pix, &cmyk);
+                    if (cmyk.c != 0 || cmyk.m != 0 || cmyk.y != 0) {
+                        grayIndexed = false;
+                    }
+                    colorMap->getDeviceN(&pix, &deviceN);
+                    for (int cp = 0; cp < SPOT_NCOMPS + 4; cp++)
+                        imgData.lookup[(SPOT_NCOMPS + 4) * i + cp] = colToByte(deviceN.c[cp]);
                 }
-                colorMap->getDeviceN(&pix, &deviceN);
-                for (int cp = 0; cp < SPOT_NCOMPS + 4; cp++)
-                    imgData.lookup[(SPOT_NCOMPS + 4) * i + cp] = colToByte(deviceN.c[cp]);
             }
             break;
         }
author	Even Rouault <even.rouault@spatialys.com>	2021-08-25 21:52:26 +0200
committer	Albert Astals Cid <tsdgeos@yahoo.es>	2021-08-26 07:09:13 +0000
commit	f51d2519590369107c27d0f3a078819e1df889fb (patch)
tree	5f41a354f765982a43dfe329cadfac77444e86eb /poppler/SplashOutputDev.cc
parent	c92e079ea2954abc6b7005a802ea464ccfae9581 (diff)