101526 – Division by zero in Stream.cc:471

Bug 101526 - Division by zero in Stream.cc:471

Summary: Division by zero in Stream.cc:471

Status:	RESOLVED FIXED

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-06-20 17:45 UTC by foca@salesforce.com
Modified:	2017-06-20 22:02 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
Proof of concept (8.93 KB, application/pdf) 2017-06-20 17:45 UTC, foca@salesforce.com	Details
View All

Description foca@salesforce.com 2017-06-20 17:45:11 UTC

Created attachment 132096 [details]
Proof of concept

There is a division by zero in Stream.cc:471. In the ImageStream constructor, INT_MAX is divided by nComps, parsing the attached PoC.pdf case nComps has the value 0. The division by 0 caused a SIGFPE crash

 461 ImageStream::ImageStream(Stream *strA, int widthA, int nCompsA, int nBitsA) {
 462   int imgLineSize;
 463 
 464   str = strA;
 465   width = widthA;
 466   nComps = nCompsA;
 467   nBits = nBitsA;
 468 
 469   nVals = width * nComps;
 470   inputLineSize = (nVals * nBits + 7) >> 3;
 471   if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || width > INT_MAX / nComps) {
 472     inputLineSize = -1;
 473   }

A possible solution is to check for this case:
 471   if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || nComps ==0 || width > INT_MAX / nComps) {

A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.