Created attachment 132096 [details] Proof of concept There is a division by zero in Stream.cc:471. In the ImageStream constructor, INT_MAX is divided by nComps, parsing the attached PoC.pdf case nComps has the value 0. The division by 0 caused a SIGFPE crash 461 ImageStream::ImageStream(Stream *strA, int widthA, int nCompsA, int nBitsA) { 462 int imgLineSize; 463 464 str = strA; 465 width = widthA; 466 nComps = nCompsA; 467 nBits = nBitsA; 468 469 nVals = width * nComps; 470 inputLineSize = (nVals * nBits + 7) >> 3; 471 if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || width > INT_MAX / nComps) { 472 inputLineSize = -1; 473 } A possible solution is to check for this case: 471 if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || nComps ==0 || width > INT_MAX / nComps) { A PoC is attached. To reproduce the bug use: pdftocairo -svg PoC.pdf This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.