From 3a2759aa2a98c2157cb35731b95e393b8882f8d3 Mon Sep 17 00:00:00 2001
From: Jose Aliste <jaliste@src.gnome.org>
Date: Tue, 16 May 2017 18:44:49 -0400
Subject: Check numComps is between reasonable bounds

Before this patch, some PDF might crash because of an overflow
if numComps does not lie between 0 and 4.
This is a security fix for CVE-2017-0319.
---
 poppler/Stream.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index d93c560e..e3d5cf6a 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -32,6 +32,7 @@
 // Copyright (C) 2013 Pino Toscano <pino@kde.org>
 // Copyright (C) 2015 Suzuki Toshiya <mpsuzuki@hiroshima-u.ac.jp>
 // Copyright (C) 2015 Jason Crain <jason@aquaticape.us>
+// Copyright (C) 2017 Jose Aliste <jaliste@src.gnome.org>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -3585,6 +3586,12 @@ GBool DCTStream::readProgressiveSOF() {
   height = read16();
   width = read16();
   numComps = str->getChar();
+
+  if (numComps <= 0 || numComps > 4) {
+    error(errSyntaxError, getPos(), "Bad number of components in DCT stream");
+    numComps = 0;
+    return gFalse;
+  }
   if (prec != 8) {
     error(errSyntaxError, getPos(), "Bad DCT precision {0:d}", prec);
     return gFalse;
-- 
cgit v1.2.3