76f8c5
From c114a90063d755639d2b0dbf816690a66b54bee0 Mon Sep 17 00:00:00 2001
76f8c5
From: Albert Astals Cid <aacid@kde.org>
76f8c5
Date: Sun, 8 Feb 2015 00:24:11 +0100
76f8c5
Subject: Fix crash in fuzzed file from Bug #84988
76f8c5
76f8c5
76f8c5
diff --git a/poppler/TextOutputDev.cc b/poppler/TextOutputDev.cc
76f8c5
index c9db1e7..150d444 100644
76f8c5
--- a/poppler/TextOutputDev.cc
76f8c5
+++ b/poppler/TextOutputDev.cc
76f8c5
@@ -20,7 +20,7 @@
76f8c5
 // Copyright (C) 2006 Jeff Muizelaar <jeff@infidigm.net>
76f8c5
 // Copyright (C) 2007, 2008, 2012 Adrian Johnson <ajohnson@redneon.com>
76f8c5
 // Copyright (C) 2008 Koji Otani <sho@bbr.jp>
76f8c5
-// Copyright (C) 2008, 2010-2012, 2014 Albert Astals Cid <aacid@kde.org>
76f8c5
+// Copyright (C) 2008, 2010-2012, 2014, 2015 Albert Astals Cid <aacid@kde.org>
76f8c5
 // Copyright (C) 2008 Pino Toscano <pino@kde.org>
76f8c5
 // Copyright (C) 2008, 2010 Hib Eris <hib@hiberis.nl>
76f8c5
 // Copyright (C) 2009 Ross Moore <ross@maths.mq.edu.au>
76f8c5
@@ -622,6 +622,10 @@ void TextPool::addWord(TextWord *word) {
76f8c5
   TextWord *w0, *w1;
76f8c5
 
76f8c5
   // expand the array if needed
76f8c5
+  if (unlikely((word->base / textPoolStep) > INT_MAX)) {
76f8c5
+      error(errSyntaxWarning, -1, "word->base / textPoolStep > INT_MAX");
76f8c5
+      return;
76f8c5
+  }
76f8c5
   wordBaseIdx = (int)(word->base / textPoolStep);
76f8c5
   if (minBaseIdx > maxBaseIdx) {
76f8c5
     minBaseIdx = wordBaseIdx - 128;
76f8c5
-- 
76f8c5
cgit v0.10.2
76f8c5