Logic error in function Hints::Hints

A logic error in Function Hints::Hints (poppler/Hints.cc) is found with fuzzing.

There is a check after the memory alloc and set the nPages to zero if failed:

if (!nObjects || !pageObjectNum || !xRefOffset || !pageLength || !pageOffset || !numSharedObject || !sharedObjectId) {

    error(errSyntaxWarning, -1, "Failed to allocate memory for hints table");

    nPages = 0;

}

But at the end of function, there is a direct call to function readTables WITHOUT the check of nPages.

I believe it should be changed to:

if (nPages != 0) {

    readTables(str, linearization, xref, secHdlr);

}

Otherwise, with the attached poc.pdf, program pdftops will hang for a very long time (days), could be a DoS.

pdftops poc.pdf

Edited Mar 15, 2022 by Jieyong Ma

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

Logic error in function Hints::Hints