Bug 23078 - integer overflow in PDF parsing
Summary: integer overflow in PDF parsing
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-08-01 06:43 UTC by Jakub Wilk
Modified: 2009-08-10 10:58 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Jakub Wilk 2009-08-01 06:43:02 UTC 
(Tested with poppler 0.10.6.)

poppler is susceptible to integer overflows in the PDF parsing code. For 
example, text in this file is rendered as if it were 12 pt,
whereas in reality it is 4294967308 pt:

http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=hugefont.pdf;att=1;bug=533421
Comment 1 Albert Astals Cid 2009-08-01 07:12:52 UTC 
The problem lies in Lexer::getObj
Comment 2 Albert Astals Cid 2009-08-09 14:27:23 UTC 
Fixed in master, thanks for reporting
Comment 3 Jakub Wilk 2009-08-10 01:15:33 UTC 
Note that, strictly speaking, your fix is invalid. Signed integer overflow is undefined behaviour in C++, which means that the compiler may assume that it will not happen. That is, the compiler is free to optimize out the branch where you set overflownInteger = gTrue.
Either you should refrain from triggering the overflow (by testing for something like xi<INT_MAX/10-1 *before* multiplication) or use -fwrapv gcc option.
Comment 4 Jakub Wilk 2009-08-10 01:27:12 UTC 
Oh, and even with -fwarpv it would be still invalid:

x * 10 + c == x

for 32bit integers with wrap-around semantics, x=477218588 and c=4.
Comment 5 Albert Astals Cid 2009-08-10 10:58:50 UTC 
Right, should be fixed now, i hope.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.