RFC: Check that the coordinate transforms are at least within integer range oss-fuzz/8418 (!64) · Merge requests · poppler / poppler

The source project of this merge request has been removed.

Adam Reichold requested to merge (removed):fix-of8418 into master Sep 23, 2018

Check that the coordinate transforms are at least within integer range before using them to draw an image mask. oss-fuzz/8418

Test case 4625424549150720 is interesting insofar it shows a timeout after having two places with undefined behaviour:

Running: /home/adam/Downloads/clusterfuzz-testcase-minimized-pdf_fuzzer-4625424549150720
/home/adam/Projekte/poppler/splash/SplashMath.h:87:22: runtime error: -3.34634e+22 is outside the range of representable values of type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/adam/Projekte/poppler/splash/SplashMath.h:87:22 in 
/home/adam/Projekte/poppler/splash/Splash.cc:3082:49: runtime error: signed integer overflow: 768 - -2147483648 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/adam/Projekte/poppler/splash/Splash.cc:3082:49 in

This change is not a proper solution since even if the matrix components are out of integer range, they could still even out to produce coordinates in integer range, but it does prevent the above from happening (and also the timeout).

But I fear that arbitrarily limiting the matrix components to integer range might introduce regressions elsewhere? But it seems unrealistic to make every call to splashCeil or splashFloor check whether the result fits into an int? Compromise could be to instrument imgCoordMunge* calls but even those after sometimes part of inner loops.

RFC: Check that the coordinate transforms are at least within integer range oss-fuzz/8418

Merge request reports