Integer overflow in readPatternDictSeg
Hi!
I've been fuzzing your project and found integer overflow in readPatternDictSeg.
In the line 2505 of JBIG2Stream.cc you use (grayMax + 1) * patternW
as second arg of readPatternDictSeg without integer overflow check.
Exception occurs when opening sydr_e70b1aedf122b0ba90dcd2d104560befbb2f8d5c_int_overflow_33_signed file. You can use docker and fuzz targets from oss-sydr-fuzz to reproduce error:
`/out/page_label_fuzzer ./sydr_e70b1aedf122b0ba90dcd2d104560befbb2f8d5c_int_overflow_33_signed`
Libfuzzer's output:
`INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1759908738
INFO: Loaded 1 modules (851926 inline 8-bit counters): 851926 [0x60afae8, 0x617fabe),
INFO: Loaded 1 PC tables (851926 PCs): 851926 [0x617fac0,0x6e7f820),
/out/page_label_fuzzer: Running 1 inputs 1 time(s) each.
Running: /fuzz/page_label-out/security-verified/sydr_e70b1aedf122b0ba90dcd2d104560befbb2f8d5c_int_overflow_33_signed
/src/libfuzzer/poppler/poppler/NameToCharCode.cc:129:16: runtime error: unsigned integer overflow: 17 * 2686153882 cannot be represented in type 'unsigned int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/NameToCharCode.cc:129:16 in
/src/libfuzzer/poppler/poppler/PDFDoc.cc:364:21: runtime error: implicit conversion from type 'int' of value 226 (32-bit, signed) to type 'char' changed the value to -30 (8-bit, signed)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/PDFDoc.cc:364:21 in
/src/libfuzzer/poppler/poppler/PDFDoc.cc:2000:30: runtime error: implicit conversion from type 'int' of value 226 (32-bit, signed) to type 'char' changed the value to -30 (8-bit, signed)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/PDFDoc.cc:2000:30 in
/src/libfuzzer/poppler/poppler/Lexer.cc:587:20: runtime error: implicit conversion from type 'int' of value 254 (32-bit, signed) to type 'char' changed the value to -2 (8-bit, signed)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/Lexer.cc:587:20 in
/src/libfuzzer/poppler/poppler/JBIG2Stream.cc:2505:51: runtime error: unsigned integer overflow: 1431663872 * 3 cannot be represented in type 'unsigned int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/JBIG2Stream.cc:2505:51 in
/src/libfuzzer/poppler/poppler/JBIG2Stream.cc:2505:113: runtime error: implicit conversion from type 'unsigned int' of value 2155905145 (32-bit, unsigned) to type 'int' changed the value to -2139062151 (32-bit, signed)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/JBIG2Stream.cc:2505:113 in
Bogus memory allocation size
/src/libfuzzer/poppler/poppler/Stream.cc:143:18: runtime error: implicit conversion from type 'int' of value 226 (32-bit, signed) to type 'char' changed the value to -30 (8-bit, signed)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/Stream.cc:143:18 in
/src/libfuzzer/poppler/poppler/PDFDoc.cc:1966:26: runtime error: implicit conversion from type 'int' of value 226 (32-bit, signed) to type 'char' changed the value to -30 (8-bit, signed)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/libfuzzer/poppler/poppler/PDFDoc.cc:1966:26 in
Bogus memory allocation size
Executed /fuzz/page_label-out/security-verified/sydr_e70b1aedf122b0ba90dcd2d104560befbb2f8d5c_int_overflow_33_signed in 24 ms
***
*** NOTE: fuzzing was not performed, you have only
*** executed the target code on a fixed set of inputs.
***`