Fix ASAN in 750.asan.0.9621.pdf

==25876== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040002a10f at pc 0x7fc396c3c23e bp 0x7ffff1123d20 sp 0x7ffff1123d18 READ of size 1 at 0x60040002a10f thread T0 #0 0x7fc396c3c23d in JBIG2Stream::readGenericBitmap(bool, int, int, int, bool, bool, JBIG2Bitmap*, int*, int*, int) /home/tsdgeos/devel/poppler/poppler/JBIG2Stream.cc:3504 #1 0x7fc396c30073 in JBIG2Stream::readSymbolDictSeg(unsigned int, unsigned int, unsigned int*, unsigned int) /home/tsdgeos/devel/poppler/poppler/JBIG2Stream.cc:1867 #2 0x7fc396c2d88a in JBIG2Stream::readSegments() /home/tsdgeos/devel/poppler/poppler/JBIG2Stream.cc:1408 #3 0x7fc396c2c6ba in JBIG2Stream::reset() /home/tsdgeos/devel/poppler/poppler/JBIG2Stream.cc:1248 #4 0x7fc396c783f7 in ImageStream::reset() /home/tsdgeos/devel/poppler/poppler/Stream.cc:484 #5 0x7fc396d484e4 in SplashOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) /home/tsdgeos/devel/poppler/poppler/SplashOutputDev.cc:3158 #6 0x7fc396ba3cf0 in Gfx::doImage(Object*, Stream*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:4653 #7 0x7fc396ba0d6c in Gfx::opXObject(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:4179 #8 0x7fc396b7b2c6 in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:903 #9 0x7fc396b7a49b in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:762 #10 0x7fc396b7a0ef in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:728 #11 0x7fc396c5cd93 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:585 #12 0x7fc396c642bf in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:503 #13 0x40311e in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/tsdgeos/devel/poppler/utils/pdftoppm.cc:222 #14 0x404416 in main /home/tsdgeos/devel/poppler/utils/pdftoppm.cc:521 #15 0x7fc396284ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #16 0x401d58 in _start (/home/tsdgeos/devel/poppler/build-debug/utils/pdftoppm+0x401d58)
giddie · Mar 26, 2014 · fb7d914 · fb7d914
1 parent 9002b3b
commit fb7d914
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
@@ -15,7 +15,7 @@
 //
 // Copyright (C) 2006 Raj Kumar <[email protected]>
 // Copyright (C) 2006 Paul Walmsley <[email protected]>
-// Copyright (C) 2006-2010, 2012 Albert Astals Cid <[email protected]>
+// Copyright (C) 2006-2010, 2012, 2014 Albert Astals Cid <[email protected]>
 // Copyright (C) 2009 David Benjamin <[email protected]>
 // Copyright (C) 2011 Edward Jiang <[email protected]>
 // Copyright (C) 2012 William Bader <[email protected]>
@@ -3499,8 +3499,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h,
 
 	if (atx[0] >= -8 && atx[0] <= 8) {
 	  // set up the adaptive context
-	  if (y + aty[0] >= 0) {
-	    atP0 = bitmap->getDataPtr() + (y + aty[0]) * bitmap->getLineSize();
+	  const int atY = y + aty[0];
+	  if ((atY >= 0) && (atY < bitmap->getHeight())) {
+	    atP0 = bitmap->getDataPtr() + atY * bitmap->getLineSize();
 	    atBuf0 = *atP0++ << 8;
 	  } else {
 	    atP0 = NULL;