Bug 23078

Summary: integer overflow in PDF parsing
Product: poppler Reporter: Jakub Wilk <jwilk>
Component: generalAssignee: poppler-bugs <poppler-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: jwilk
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Jakub Wilk 2009-08-01 06:43:02 UTC 
(Tested with poppler 0.10.6.)

poppler is susceptible to integer overflows in the PDF parsing code. For 
example, text in this file is rendered as if it were 12 pt,
whereas in reality it is 4294967308 pt:

http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=hugefont.pdf;att=1;bug=533421
Comment 1 Albert Astals Cid 2009-08-01 07:12:52 UTC 
The problem lies in Lexer::getObj
Comment 2 Albert Astals Cid 2009-08-09 14:27:23 UTC 
Fixed in master, thanks for reporting
Comment 3 Jakub Wilk 2009-08-10 01:15:33 UTC 
Note that, strictly speaking, your fix is invalid. Signed integer overflow is undefined behaviour in C++, which means that the compiler may assume that it will not happen. That is, the compiler is free to optimize out the branch where you set overflownInteger = gTrue.
Either you should refrain from triggering the overflow (by testing for something like xi<INT_MAX/10-1 *before* multiplication) or use -fwrapv gcc option.
Comment 4 Jakub Wilk 2009-08-10 01:27:12 UTC 
Oh, and even with -fwarpv it would be still invalid:

x * 10 + c == x

for 32bit integers with wrap-around semantics, x=477218588 and c=4.
Comment 5 Albert Astals Cid 2009-08-10 10:58:50 UTC 
Right, should be fixed now, i hope.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.