Logic error in function Hints::Hints

A logic error in Function Hints::Hints (poppler/Hints.cc) is found with fuzzing.

There is a check after the memory alloc and set the nPages to zero if failed:

if (!nObjects || !pageObjectNum || !xRefOffset || !pageLength || !pageOffset || !numSharedObject || !sharedObjectId) {

    error(errSyntaxWarning, -1, "Failed to allocate memory for hints table");

    nPages = 0;

}

But at the end of function, there is a direct call to function readTables WITHOUT the check of nPages.

I believe it should be changed to:

if (nPages != 0) {

    readTables(str, linearization, xref, secHdlr);

}

Otherwise, with the attached poc.pdf, program pdftops will hang for a very long time (days), could be a DoS.

pdftops poc.pdf

Edited Mar 15, 2022 by Jieyong Ma

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information