[poppler] goo/GooCheckedOps.h poppler/Function.cc

Fri, 10 Jan 2020 02:06:26 -0800 

 goo/GooCheckedOps.h |   11 ++++++++++-
 poppler/Function.cc |    5 +++--
 2 files changed, 13 insertions(+), 3 deletions(-)

New commits:
commit c80a00125180d396442d7559f6df65bdd1b5b98d
Author: Albert Astals Cid <[email protected]>
Date:   Fri Jan 10 00:46:22 2020 +0100

    PSStack::copy: Fix integer overflow leading to potential crash
    
    in broken files
    
    Fixes issue #870

diff --git a/goo/GooCheckedOps.h b/goo/GooCheckedOps.h
index 96c2f517..6aeb5d17 100644
--- a/goo/GooCheckedOps.h
+++ b/goo/GooCheckedOps.h
@@ -6,7 +6,7 @@
 //
 // Copyright (C) 2018 Adam Reichold <[email protected]>
 // Copyright (C) 2019 LE GARREC Vincent <[email protected]>
-// Copyright (C) 2019 Albert Astals Cid <[email protected]>
+// Copyright (C) 2019, 2020 Albert Astals Cid <[email protected]>
 //
 //========================================================================
 
@@ -44,6 +44,15 @@ template<typename T> inline bool checkedAdd(T x, T y, T *z) {
 #endif
 }
 
+template<typename T> inline bool checkedSubtraction(T x, T y, T *z) {
+#if __GNUC__ >= 5 || __has_builtin(__builtin_sub_overflow)
+  return __builtin_sub_overflow(x, y, z);
+#else
+  const auto lz = static_cast<long long>(x) - static_cast<long long>(y);
+  return checkedAssign(lz, z);
+#endif
+}
+
 template<typename T> inline bool checkedMultiply(T x, T y, T *z) {
 #if __GNUC__ >= 5 || __has_builtin(__builtin_mul_overflow)
   return __builtin_mul_overflow(x, y, z);
diff --git a/poppler/Function.cc b/poppler/Function.cc
index 8d6fab7a..e7b32748 100644
--- a/poppler/Function.cc
+++ b/poppler/Function.cc
@@ -1077,11 +1077,12 @@ private:
 void PSStack::copy(int n) {
   int i;
 
-  if (sp + n > psStackSize) {
+  int aux;
+  if (unlikely(checkedAdd(sp, n, &aux) || aux > psStackSize)) {
     error(errSyntaxError, -1, "Stack underflow in PostScript function");
     return;
   }
-  if (unlikely(sp - n > psStackSize)) {
+  if (unlikely(checkedSubtraction(sp, n, &aux) || aux > psStackSize)) {
     error(errSyntaxError, -1, "Stack underflow in PostScript function");
     return;
   }
_______________________________________________
poppler mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/poppler

Reply via email to