current/SOURCES/poppler-0.24.5-CVE-2017-1000456.patch

Backport of:

From 75c84350958d67cc15d12d3dbc858b257971e399 Mon Sep 17 00:00:00 2001
From: Jason Crain <jason@inspiresomeone.us>
Date: Thu, 5 Oct 2017 15:32:13 -0500
Subject: [PATCH] Fix crash in fuzzed file

This file crashes pdftotext because it positions texts past INT_MIN,
leading to overflow in subsequent calculations.

Bug #103116
diff --git a/poppler/TextOutputDev.cc b/poppler/TextOutputDev.cc
index 4adb3c2..d6ce0a0 100644
--- a/poppler/TextOutputDev.cc
+++ b/poppler/TextOutputDev.cc
@@ -623,6 +623,10 @@ void TextPool::addWord(TextWord *word) {
 
   // expand the array if needed
   wordBaseIdx = (int)(word->base / textPoolStep);
+  if (unlikely(wordBaseIdx <= INT_MIN + 128 || wordBaseIdx >= INT_MAX - 128)) {
+      error(errSyntaxWarning, -1, "wordBaseIdx out of range");
+       return;
+  }
   if (minBaseIdx > maxBaseIdx) {
     minBaseIdx = wordBaseIdx - 128;
     maxBaseIdx = wordBaseIdx + 128;
1	Backport of:
2
3	From 75c84350958d67cc15d12d3dbc858b257971e399 Mon Sep 17 00:00:00 2001
4	From: Jason Crain <jason@inspiresomeone.us>
5	Date: Thu, 5 Oct 2017 15:32:13 -0500
6	Subject: [PATCH] Fix crash in fuzzed file
7
8	This file crashes pdftotext because it positions texts past INT_MIN,
9	leading to overflow in subsequent calculations.
10
11	Bug #103116
12	diff --git a/poppler/TextOutputDev.cc b/poppler/TextOutputDev.cc
13	index 4adb3c2..d6ce0a0 100644
14	--- a/poppler/TextOutputDev.cc
15	+++ b/poppler/TextOutputDev.cc
16	@@ -623,6 +623,10 @@ void TextPool::addWord(TextWord *word) {
17
18	// expand the array if needed
19	wordBaseIdx = (int)(word->base / textPoolStep);
20	+ if (unlikely(wordBaseIdx <= INT_MIN + 128 \|\| wordBaseIdx >= INT_MAX - 128)) {
21	+ error(errSyntaxWarning, -1, "wordBaseIdx out of range");
22	+ return;
23	+ }
24	if (minBaseIdx > maxBaseIdx) {
25	minBaseIdx = wordBaseIdx - 128;
26	maxBaseIdx = wordBaseIdx + 128;