poppler/poppler-24.02.0-tilingPatternFill-overflow.patch
2026-06-10 17:46:13 -04:00

39 lines
1.6 KiB
Diff

From 678bed7fc23bc14eb5f3ff4dfbaa10f2b252cf21 Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Thu, 21 May 2026 17:51:51 +0200
Subject: [PATCH] SplashOutputDev: Fix integer overflow in tilingPatternFill
Use checkedMultiply() to check integer multiplication of surface size
and number of repetitions to avoid integer overflow and possible memory issues.
Fixes: #1715
---
poppler/SplashOutputDev.cc | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc
index 705aae25..f10d6538 100644
--- a/poppler/SplashOutputDev.cc
+++ b/poppler/SplashOutputDev.cc
@@ -4327,7 +4328,7 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog * /*
matc[2] = ctm[2];
matc[3] = ctm[3];
- if (surface_width == 0 || surface_height == 0 || repeatX * repeatY <= 4) {
+ if (surface_width == 0 || surface_height == 0 || repeatX * repeatY <= 4 || checkedMultiply(surface_width, repeatX, &result_width) || checkedMultiply(surface_height, repeatY, &result_height)) {
state->setCTM(savedCTM[0], savedCTM[1], savedCTM[2], savedCTM[3], savedCTM[4], savedCTM[5]);
return false;
}
@@ -4349,8 +4350,6 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog * /*
kx = matc[0];
ky = matc[3] - (matc[1] * matc[2]) / matc[0];
}
- result_width = surface_width * repeatX;
- result_height = surface_height * repeatY;
kx = result_width / (fabs(kx) + 1);
ky = result_height / (fabs(ky) + 1);
state->concatCTM(kx, 0, 0, ky, 0, 0);
--
2.54.0