commit 37659c01087eb8b25a5a593268f1acf52e6624f7
author Albert Astals Cid <aacid@kde.org> Thu Jul 04 11:06:24 2019 +0200
committer Albert Astals Cid <aacid@kde.org> Thu Jul 04 11:06:24 2019 +0200
tree 7b8b5b333617d55d1604c59187aecdba46961d04
parent e69dc7a5a44c1c3fb97023d44e9e99a2bca75a46

Account for verticesA possible overflow in GfxGouraudTriangleShading::parse

fixes oss-fuzz file abort

poppler/GfxState.cc

diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index a562a6c..33d2aaf 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -4877,7 +4877,13 @@
       int oldVertSize = vertSize;
       vertSize = (vertSize == 0) ? 16 : 2 * vertSize;
       verticesA = (GfxGouraudVertex *)
-	              greallocn(verticesA, vertSize, sizeof(GfxGouraudVertex));
+	              greallocn_checkoverflow(verticesA, vertSize, sizeof(GfxGouraudVertex));
+      if (unlikely(!verticesA)) {
+        error(errSyntaxWarning, -1, "GfxGouraudTriangleShading::parse: vertices size overflow");
+        gfree(trianglesA);
+        delete bitBuf;
+        return nullptr;
+      }
       memset(verticesA + oldVertSize, 0, (vertSize - oldVertSize) * sizeof(GfxGouraudVertex));
     }
     verticesA[nVerticesA].x = xMin + xMul * (double)x;