poppler/GfxState.cc | 10 ++++++++++ splash/Splash.cc | 4 ++-- 2 files changed, 12 insertions(+), 2 deletions(-)
New commits: commit 8d715bfc7c3610b823721dc26368728795baa2fe Author: Albert Astals Cid <aa...@kde.org> Date: Wed May 23 15:44:05 2018 +0200 GfxPatchMeshShading::parse: Error out if BitsPerCoordinate <= 0 diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc index 77adfd0e..b76c52d9 100644 --- a/poppler/GfxState.cc +++ b/poppler/GfxState.cc @@ -5129,6 +5129,10 @@ GfxPatchMeshShading *GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di error(errSyntaxWarning, -1, "Missing or invalid BitsPerCoordinate in shading dictionary"); return nullptr; } + if (unlikely(coordBits <= 0)) { + error(errSyntaxWarning, -1, "Invalid BitsPerCoordinate in shading dictionary"); + return nullptr; + } obj1 = dict->lookup("BitsPerComponent"); if (obj1.isInt()) { compBits = obj1.getInt(); commit f5fb32bd4b64040dc0f9b9e1555dabce804ba566 Author: Albert Astals Cid <aa...@kde.org> Date: Wed May 23 15:38:26 2018 +0200 Splash::scaleMaskYuXu: Also check for srcHeight <= 0 diff --git a/splash/Splash.cc b/splash/Splash.cc index fc92bc18..0ee71077 100644 --- a/splash/Splash.cc +++ b/splash/Splash.cc @@ -3550,8 +3550,8 @@ void Splash::scaleMaskYuXu(SplashImageMaskSource src, void *srcData, return; } - if (unlikely(srcWidth <= 0)) { - error(errSyntaxError, -1, "srcWidth <= 0 in Splash::scaleMaskYuXu"); + if (unlikely(srcWidth <= 0 || srcHeight <= 0)) { + error(errSyntaxError, -1, "srcWidth <= 0 || srcHeight <= 0 in Splash::scaleMaskYuXu"); return; } commit 0318e1667c7b137493f22be61b835eb914f68fa9 Author: Albert Astals Cid <aa...@kde.org> Date: Wed May 23 15:34:32 2018 +0200 GfxPatchMeshShading::parse: Fix memory leak on malformed documents fixes oss-fuzz/8487 diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc index 21c09c8f..77adfd0e 100644 --- a/poppler/GfxState.cc +++ b/poppler/GfxState.cc @@ -5293,6 +5293,7 @@ GfxPatchMeshShading *GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di case 1: if (nPatchesA == 0) { gfree(patchesA); + for (int k = 0; k < nFuncsA; ++k) delete funcsA[k]; return nullptr; } p->x[0][0] = patchesA[nPatchesA-1].x[0][3]; @@ -5329,6 +5330,7 @@ GfxPatchMeshShading *GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di case 2: if (nPatchesA == 0) { gfree(patchesA); + for (int k = 0; k < nFuncsA; ++k) delete funcsA[k]; return nullptr; } p->x[0][0] = patchesA[nPatchesA-1].x[3][3]; @@ -5365,6 +5367,7 @@ GfxPatchMeshShading *GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di case 3: if (nPatchesA == 0) { gfree(patchesA); + for (int k = 0; k < nFuncsA; ++k) delete funcsA[k]; return nullptr; } p->x[0][0] = patchesA[nPatchesA-1].x[3][0]; @@ -5444,6 +5447,7 @@ GfxPatchMeshShading *GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di case 1: if (nPatchesA == 0) { gfree(patchesA); + for (int k = 0; k < nFuncsA; ++k) delete funcsA[k]; return nullptr; } p->x[0][0] = patchesA[nPatchesA-1].x[0][3]; @@ -5488,6 +5492,7 @@ GfxPatchMeshShading *GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di case 2: if (nPatchesA == 0) { gfree(patchesA); + for (int k = 0; k < nFuncsA; ++k) delete funcsA[k]; return nullptr; } p->x[0][0] = patchesA[nPatchesA-1].x[3][3]; @@ -5532,6 +5537,7 @@ GfxPatchMeshShading *GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di case 3: if (nPatchesA == 0) { gfree(patchesA); + for (int k = 0; k < nFuncsA; ++k) delete funcsA[k]; return nullptr; } p->x[0][0] = patchesA[nPatchesA-1].x[3][0]; _______________________________________________ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler