1 |
Backport of: |
2 |
|
3 |
From 75c84350958d67cc15d12d3dbc858b257971e399 Mon Sep 17 00:00:00 2001 |
4 |
From: Jason Crain <jason@inspiresomeone.us> |
5 |
Date: Thu, 5 Oct 2017 15:32:13 -0500 |
6 |
Subject: [PATCH] Fix crash in fuzzed file |
7 |
|
8 |
This file crashes pdftotext because it positions texts past INT_MIN, |
9 |
leading to overflow in subsequent calculations. |
10 |
|
11 |
Bug #103116 |
12 |
diff --git a/poppler/TextOutputDev.cc b/poppler/TextOutputDev.cc |
13 |
index 4adb3c2..d6ce0a0 100644 |
14 |
--- a/poppler/TextOutputDev.cc |
15 |
+++ b/poppler/TextOutputDev.cc |
16 |
@@ -623,6 +623,10 @@ void TextPool::addWord(TextWord *word) { |
17 |
|
18 |
// expand the array if needed |
19 |
wordBaseIdx = (int)(word->base / textPoolStep); |
20 |
+ if (unlikely(wordBaseIdx <= INT_MIN + 128 || wordBaseIdx >= INT_MAX - 128)) { |
21 |
+ error(errSyntaxWarning, -1, "wordBaseIdx out of range"); |
22 |
+ return; |
23 |
+ } |
24 |
if (minBaseIdx > maxBaseIdx) { |
25 |
minBaseIdx = wordBaseIdx - 128; |
26 |
maxBaseIdx = wordBaseIdx + 128; |