diff options
| author | Albert Astals Cid <aacid@kde.org> | 2014-03-26 17:58:48 +0100 |
|---|---|---|
| committer | Albert Astals Cid <aacid@kde.org> | 2014-03-26 18:43:48 +0100 |
| commit | 322e416451b7b33cba8fb3d4702207693c3c7921 (patch) | |
| tree | 5472349b9f25eeb58f4c739557a953add71ac4c8 | |
| parent | 225232f6f070d17d8570108ffe39ffd4350fc6e8 (diff) | |
Fix error reported by ASAN in 1195.asan.0.293.pdf
==31060== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040002a215 at pc 0x7f5614cd96c4 bp 0x7fff54a44050 sp 0x7fff54a44048
READ of size 1 at 0x60040002a215 thread T0
#0 0x7f5614cd96c3 in JBIG2Stream::readGenericBitmap(bool, int, int, int, bool, bool, JBIG2Bitmap*, int*, int*, int) /home/tsdgeos/devel/poppler/poppler/JBIG2Stream.cc:3389
#1 0x7f5614cce0e7 in JBIG2Stream::readSymbolDictSeg(unsigned int, unsigned int, unsigned int*, unsigned int) /home/tsdgeos/devel/poppler/poppler/JBIG2Stream.cc:1867
#2 0x7f5614ccb8fe in JBIG2Stream::readSegments() /home/tsdgeos/devel/poppler/poppler/JBIG2Stream.cc:1408
#3 0x7f5614cca72e in JBIG2Stream::reset() /home/tsdgeos/devel/poppler/poppler/JBIG2Stream.cc:1248
#4 0x7f5614d1648b in ImageStream::reset() /home/tsdgeos/devel/poppler/poppler/Stream.cc:484
#5 0x7f5614de6578 in SplashOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) /home/tsdgeos/devel/poppler/poppler/SplashOutputDev.cc:3158
#6 0x7f5614c41d64 in Gfx::doImage(Object*, Stream*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:4653
#7 0x7f5614c3ede0 in Gfx::opXObject(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:4179
#8 0x7f5614c1933a in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:903
#9 0x7f5614c1850f in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:762
#10 0x7f5614c18163 in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:728
#11 0x7f5614cfae27 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:585
#12 0x7f5614d02353 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:503
#13 0x40311e in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/tsdgeos/devel/poppler/utils/pdftoppm.cc:222
#14 0x404416 in main /home/tsdgeos/devel/poppler/utils/pdftoppm.cc:521
#15 0x7f5614322ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#16 0x401d58 in _start (/home/tsdgeos/devel/poppler/build-debug/utils/pdftoppm+0x401d58)
| -rw-r--r-- | poppler/JBIG2Stream.cc | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc index 87411ca1..4c551231 100644 --- a/poppler/JBIG2Stream.cc +++ b/poppler/JBIG2Stream.cc @@ -3384,8 +3384,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h, if (atx[0] >= -8 && atx[0] <= 8) { // set up the adaptive context - if (y + aty[0] >= 0) { - atP0 = bitmap->getDataPtr() + (y + aty[0]) * bitmap->getLineSize(); + const int atY = y + aty[0]; + if ((atY >= 0) && (atY < bitmap->getHeight())) { + atP0 = bitmap->getDataPtr() + atY * bitmap->getLineSize(); atBuf0 = *atP0++ << 8; } else { atP0 = NULL; |