Bug 101526 - Division by zero in Stream.cc:471
Summary: Division by zero in Stream.cc:471
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-20 17:45 UTC by foca@salesforce.com
Modified: 2017-06-20 22:02 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
Proof of concept (8.93 KB, application/pdf)
2017-06-20 17:45 UTC, foca@salesforce.com 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description foca@salesforce.com 2017-06-20 17:45:11 UTC 
Created attachment 132096 [details]
Proof of concept

There is a division by zero in Stream.cc:471. In the ImageStream constructor, INT_MAX is divided by nComps, parsing the attached PoC.pdf case nComps has the value 0. The division by 0 caused a SIGFPE crash

 461 ImageStream::ImageStream(Stream *strA, int widthA, int nCompsA, int nBitsA) {
 462   int imgLineSize;
 463 
 464   str = strA;
 465   width = widthA;
 466   nComps = nCompsA;
 467   nBits = nBitsA;
 468 
 469   nVals = width * nComps;
 470   inputLineSize = (nVals * nBits + 7) >> 3;
 471   if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || width > INT_MAX / nComps) {
 472     inputLineSize = -1;
 473   }

A possible solution is to check for this case:
 471   if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || nComps ==0 || width > INT_MAX / nComps) {

A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.