From a4d66af61c1d5a888e11799dbf7b057d292ea9a7 Mon Sep 17 00:00:00 2001 From: Hib Eris Date: Sun, 17 Nov 2013 17:13:04 +0100 Subject: [PATCH 2/3] Validate input from page offset hints table --- poppler/Hints.cc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/poppler/Hints.cc b/poppler/Hints.cc index cd8781c..d80f412 100644 --- a/poppler/Hints.cc +++ b/poppler/Hints.cc @@ -4,7 +4,7 @@ // // This file is licensed under the GPLv2 or later // -// Copyright 2010, 2012 Hib Eris +// Copyright 2010, 2012, 2013 Hib Eris // Copyright 2010, 2011, 2013 Albert Astals Cid // Copyright 2010, 2013 Pino Toscano // Copyright 2013 Adrian Johnson @@ -202,6 +202,13 @@ void Hints::readPageOffsetTable(Stream *str) denominator = readBits(16, str); + if ((nBitsDiffObjects > 32) || (nBitsDiffPageLength > 32) || + (nBitsOffsetStream > 32) || (nBitsLengthStream > 32) || + (nBitsNumShared > 32) || (nBitsShared > 32) || (nBitsNumerator > 32)) { + error(errSyntaxWarning, -1, "Invalid number of bits reading page offset hints table"); + return; + } + for (int i=0; i