Fixes CVE-2015-8868 (heap overflow). Upstream source: https://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433 From b3425dd3261679958cd56c0f71995c15d2124433 Mon Sep 17 00:00:00 2001 From: Albert Astals Cid Date: Tue, 22 Dec 2015 22:50:33 +0100 Subject: Do not crash on invalid files Bug #93476 diff --git a/poppler/Function.cc b/poppler/Function.cc index 67283df..ee5afc1 100644 --- a/poppler/Function.cc +++ b/poppler/Function.cc @@ -577,6 +577,10 @@ ExponentialFunction::ExponentialFunction(Object *funcObj, Dict *dict) { goto err2; } n = obj1.arrayGetLength(); + if (unlikely(n > funcMaxOutputs)) { + error(errSyntaxError, -1, "Function's C0 array is wrong length"); + n = funcMaxOutputs; + } for (i = 0; i < n; ++i) { obj1.arrayGet(i, &obj2); if (!obj2.isNum()) { -- cgit v0.10.2