poppler/JArithmeticDecoder.h · 9e853438c5e9d56c07141220f2b30d7215ee9278 · poppler / poppler

JBIG2: avoid abort() on large memory allocation · 9e853438

Even Rouault authored Aug 09, 2020

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24772

When numInputSyms + numNewSyms is large enough, a fatal out of memory
allocation can occur in JArithmeticDecoderStats() constructor per

```
    #0 0xf7f6bf19 in [vdso]
    #1 0xf7d40d08 in gsignal (/lib32/libc.so.6+0x2bd08)
    #2 0xf7d42206 in abort (/lib32/libc.so.6+0x2d206)
    #3 0xbdc0049 in gmalloc(unsigned int, bool) gdal/poppler/goo/gmem.h:52:5
    #4 0xbdf3c61 in gmallocn(int, int, bool) gdal/poppler/goo/gmem.h:119:12
    #5 0xc1391fd in JArithmeticDecoderStats::JArithmeticDecoderStats(int) gdal/poppler/poppler/JArithmeticDecoder.cc:36:30
    #6 0xc1130d5 in JBIG2Stream::resetIntStats(int) gdal/poppler/poppler/JBIG2Stream.cc:4052:25
    #7 0xc1083df in JBIG2Stream::readSymbolDictSeg(unsigned int, unsigned int, unsigned int*, unsigned int) gdal/poppler/poppler/JBIG2Stream.cc:1624:9
    #8 0xc105305 in JBIG2Stream::readSegments() gdal/poppler/poppler/JBIG2Stream.cc:1318:18
    #9 0xc103f5a in JBIG2Stream::reset() gdal/poppler/poppler/JBIG2Stream.cc:1142:5
```

Avoid it and return nicely.

9e853438