Overview

File CVE-2017-1000456.patch of Package poppler.23804

From 7ee9dadef37b20bca707a6b1e858e17d191e368b Mon Sep 17 00:00:00 2001
From: Jason Crain <jason@inspiresomeone.us>
Date: Thu, 5 Oct 2017 15:32:13 -0500
Subject: TextOutputDev: Fix crash in fuzzed file

This file crashes pdftotext because it positions texts past INT_MIN,
leading to overflow in subsequent calculations.

Bug #103116
---
 poppler/TextOutputDev.cc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Index: poppler-0.24.4/poppler/TextOutputDev.cc
===================================================================
--- poppler-0.24.4.orig/poppler/TextOutputDev.cc	2018-06-06 09:25:22.572900612 +0000
+++ poppler-0.24.4/poppler/TextOutputDev.cc	2018-06-06 09:26:45.991374271 +0000
@@ -623,6 +623,11 @@ void TextPool::addWord(TextWord *word) {
 
   // expand the array if needed
   wordBaseIdx = (int)(word->base / textPoolStep);
+  if (unlikely(wordBaseIdx <= INT_MIN + 128 || wordBaseIdx >= INT_MAX - 128)) {
+      error(errSyntaxWarning, -1, "wordBaseIdx out of range");
+      delete word;
+      return;
+  }
   if (minBaseIdx > maxBaseIdx) {
     minBaseIdx = wordBaseIdx - 128;
     maxBaseIdx = wordBaseIdx + 128;
openSUSE Build Service is sponsored by
Places