RFC: Check that the coordinate transforms are at least within integer range oss-fuzz/8418
Check that the coordinate transforms are at least within integer range before using them to draw an image mask. oss-fuzz/8418
Test case 4625424549150720 is interesting insofar it shows a timeout after having two places with undefined behaviour:
Running: /home/adam/Downloads/clusterfuzz-testcase-minimized-pdf_fuzzer-4625424549150720
/home/adam/Projekte/poppler/splash/SplashMath.h:87:22: runtime error: -3.34634e+22 is outside the range of representable values of type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/adam/Projekte/poppler/splash/SplashMath.h:87:22 in
/home/adam/Projekte/poppler/splash/Splash.cc:3082:49: runtime error: signed integer overflow: 768 - -2147483648 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/adam/Projekte/poppler/splash/Splash.cc:3082:49 in
This change is not a proper solution since even if the matrix components are out of integer range, they could still even out to produce coordinates in integer range, but it does prevent the above from happening (and also the timeout).
But I fear that arbitrarily limiting the matrix components to integer range might introduce regressions elsewhere? But it seems unrealistic to make every call to splashCeil
or splashFloor
check whether the result fits into an int
? Compromise could be to instrument imgCoordMunge*
calls but even those after sometimes part of inner loops.