File CVE-2017-1000456.patch of Package poppler-qt.29744

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2017-1000456.patch of Package poppler-qt.29744

From 7ee9dadef37b20bca707a6b1e858e17d191e368b Mon Sep 17 00:00:00 2001
From: Jason Crain <jason@inspiresomeone.us>
Date: Thu, 5 Oct 2017 15:32:13 -0500
Subject: TextOutputDev: Fix crash in fuzzed file

This file crashes pdftotext because it positions texts past INT_MIN,
leading to overflow in subsequent calculations.

Bug #103116
---
 poppler/TextOutputDev.cc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Index: poppler-0.43.0/poppler/TextOutputDev.cc
===================================================================
--- poppler-0.43.0.orig/poppler/TextOutputDev.cc	2018-06-06 09:17:48.943044591 +0000
+++ poppler-0.43.0/poppler/TextOutputDev.cc	2018-06-06 09:18:00.840260159 +0000
@@ -889,11 +889,11 @@ void TextPool::addWord(TextWord *word) {
   TextWord *w0, *w1;
 
   // expand the array if needed
-  if (unlikely((word->base / textPoolStep) > INT_MAX)) {
-      error(errSyntaxWarning, -1, "word->base / textPoolStep > INT_MAX");
+  wordBaseIdx = (int)(word->base / textPoolStep);
+  if (unlikely(wordBaseIdx <= INT_MIN + 128 || wordBaseIdx >= INT_MAX - 128)) {
+      error(errSyntaxWarning, -1, "wordBaseIdx out of range");
       return;
   }
-  wordBaseIdx = (int)(word->base / textPoolStep);
   if (minBaseIdx > maxBaseIdx) {
     minBaseIdx = wordBaseIdx - 128;
     maxBaseIdx = wordBaseIdx + 128;

Places

File CVE-2017-1000456.patch of Package poppler-qt.29744

Places