Backport of: From 75c84350958d67cc15d12d3dbc858b257971e399 Mon Sep 17 00:00:00 2001 From: Jason Crain <jason@inspiresomeone.us> Date: Thu, 5 Oct 2017 15:32:13 -0500 Subject: [PATCH] Fix crash in fuzzed file This file crashes pdftotext because it positions texts past INT_MIN, leading to overflow in subsequent calculations. Bug #103116 diff --git a/poppler/TextOutputDev.cc b/poppler/TextOutputDev.cc index 4adb3c2..d6ce0a0 100644 --- a/poppler/TextOutputDev.cc +++ b/poppler/TextOutputDev.cc @@ -623,6 +623,10 @@ void TextPool::addWord(TextWord *word) { // expand the array if needed wordBaseIdx = (int)(word->base / textPoolStep); + if (unlikely(wordBaseIdx <= INT_MIN + 128 || wordBaseIdx >= INT_MAX - 128)) { + error(errSyntaxWarning, -1, "wordBaseIdx out of range"); + return; + } if (minBaseIdx > maxBaseIdx) { minBaseIdx = wordBaseIdx - 128; maxBaseIdx = wordBaseIdx + 128;