Account for verticesA possible overflow in GfxGouraudTriangleShading::parse

fixes oss-fuzz file abort

Account for verticesA possible overflow in GfxGouraudTriangleShading::parse
fixes oss-fuzz file abort
37659c01 · Albert Astals Cid · e69dc7a5 · 37659c01
Commit 37659c01 authored Jul 04, 2019 by Albert Astals Cid
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -4877,7 +4877,13 @@ GfxGouraudTriangleShading *GfxGouraudTriangleShading::parse(GfxResources *res, i
      int oldVertSize = vertSize;
      vertSize = (vertSize == 0) ? 16 : 2 * vertSize;
      verticesA = (GfxGouraudVertex *)
-	              greallocn(verticesA, vertSize, sizeof(GfxGouraudVertex));
+	              greallocn_checkoverflow(verticesA, vertSize, sizeof(GfxGouraudVertex));
+      if (unlikely(!verticesA)) {
+        error(errSyntaxWarning, -1, "GfxGouraudTriangleShading::parse: vertices size overflow");
+        gfree(trianglesA);
+        delete bitBuf;
+        return nullptr;
+      }
      memset(verticesA + oldVertSize, 0, (vertSize - oldVertSize) * sizeof(GfxGouraudVertex));
    }
    verticesA[nVerticesA].x = xMin + xMul * (double)x;