File CVE-2018-13988.patch of Package poppler.29743
From 004e3c10df0abda214f0c293f9e269fdd979c5ee Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Wed, 18 Jul 2018 20:31:27 +0200
Subject: Fix crash when Object has negative number
Spec says object number has to be > 0 and gen has to be >= 0
Reported by email
---
poppler/Parser.cc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/poppler/Parser.cc b/poppler/Parser.cc
index 39c9a96..8b0093e 100644
--- a/poppler/Parser.cc
+++ b/poppler/Parser.cc
@@ -154,6 +154,11 @@ Object Parser::getObj(GBool simpleOnly,
const int gen = buf1.getInt();
shift();
shift();
+
+ if (unlikely(num <= 0 || gen < 0)) {
+ return Object();
+ }
+
return Object(num, gen);
} else {
return Object(num);
--
cgit v1.1