--- poppler/Hints.cc.orig 2016-08-02 11:25:28.485597235 -0700 +++ poppler/Hints.cc 2016-08-02 12:41:00.545596695 -0700 @@ -292,6 +292,11 @@ nSharedGroups = 0; return; } + if (nBitsNumObjects > 32 || nBitsDiffGroupLength > 32) { + error(errSyntaxWarning, -1, "Invalid shared object groups bit length"); + nSharedGroups = 0; + return; + } groupLength = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint)); groupOffset = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint)); @@ -421,23 +426,18 @@ Guint Hints::readBits(int n, Stream *str) { - Guint bit, bits; + Guint bits = 0; if (n < 0) return -1; - if (n == 0) return 0; - if (n == 1) - return readBit(str); - - bit = (readBit(str) << (n-1)); - if (bit == (Guint) -1) - return -1; - - bits = readBits(n-1, str); - if (bits == (Guint) -1) - return -1; + while (--n >= 0) { + Guint bit = readBit(str); + if (bit == (Guint) -1) + return -1; + bits |= bit << n; + } - return bit | bits; + return bits; } int Hints::getPageObjectNum(int page) {