OSS_fuzz #45347 - validate image parameters

The file has an inline image with a /H (height) of -19. The interpreter
was simply passing that to the image rendering code which, not
unreasonably did nothing, but reported it had consumed -19 rows.

We then used that to try and skip over the image data, but treating
a negative number as an unsigned integer led to us trying to skip
ridiculously large amounts of data and eventually caused a crash in the
file handling.

This commit sets negative values to 0 (which then causes us to skip
the image) unless STOPONWARNING is set in which case we return an error.

1 files changed, 16 insertions, 0 deletions

diff --git a/pdf/pdf_image.c b/pdf/pdf_image.c
index fa2e5362f..554cc3448 100644
--- a/pdf/pdf_image.c
+++ b/pdf/pdf_image.c
@@ -471,6 +471,14 @@ pdfi_get_image_info(pdf_context *ctx, pdf_stream *image_obj,
             goto errorExit;
         }
     }
+    if (info->Height < 0) {
+        pdfi_set_warning(ctx, 0, NULL, W_PDF_BAD_IMAGEDICT, "pdfi_get_image_info", NULL);
+        if (ctx->args.pdfstoponwarning) {
+            code = gs_note_error(gs_error_rangecheck);
+            goto errorExit;
+        }
+        info->Height = 0;
+    }
 
     /* Required */
     code = pdfi_dict_get_number2(ctx, image_dict, "Width", "W", &temp_f);
@@ -484,6 +492,14 @@ pdfi_get_image_info(pdf_context *ctx, pdf_stream *image_obj,
             goto errorExit;
         }
     }
+    if (info->Width < 0) {
+        pdfi_set_warning(ctx, 0, NULL, W_PDF_BAD_IMAGEDICT, "pdfi_get_image_info", NULL);
+        if (ctx->args.pdfstoponwarning) {
+            code = gs_note_error(gs_error_rangecheck);
+            goto errorExit;
+        }
+        info->Width = 0;
+    }
 
     /* Optional, default false */
     code = pdfi_dict_get_bool2(ctx, image_dict, "ImageMask", "IM", &info->ImageMask);