1 diff -cr xpdf-3.01.orig/goo/gmem.c xpdf-3.01/goo/gmem.c
2 *** xpdf-3.01.orig/goo/gmem.c Tue Aug 16 22:34:30 2005
3 --- xpdf-3.01/goo/gmem.c Tue Jan 17 17:03:57 2006
4 ***************
5 *** 11,16 ****
6 --- 11,17 ----
7 #include <stdlib.h>
8 #include <stddef.h>
9 #include <string.h>
10 + #include <limits.h>
11 #include "gmem.h"
12
13 #ifdef DEBUG_MEM
14 ***************
15 *** 63,69 ****
16 int lst;
17 unsigned long *trl, *p;
18
19 ! if (size == 0)
20 return NULL;
21 size1 = gMemDataSize(size);
22 if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) {
23 --- 64,70 ----
24 int lst;
25 unsigned long *trl, *p;
26
27 ! if (size <= 0)
28 return NULL;
29 size1 = gMemDataSize(size);
30 if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) {
31 ***************
32 *** 86,92 ****
33 #else
34 void *p;
35
36 ! if (size == 0)
37 return NULL;
38 if (!(p = malloc(size))) {
39 fprintf(stderr, "Out of memory\n");
40 --- 87,93 ----
41 #else
42 void *p;
43
44 ! if (size <= 0)
45 return NULL;
46 if (!(p = malloc(size))) {
47 fprintf(stderr, "Out of memory\n");
48 ***************
49 *** 102,108 ****
50 void *q;
51 int oldSize;
52
53 ! if (size == 0) {
54 if (p)
55 gfree(p);
56 return NULL;
57 --- 103,109 ----
58 void *q;
59 int oldSize;
60
61 ! if (size <= 0) {
62 if (p)
63 gfree(p);
64 return NULL;
65 ***************
66 *** 120,126 ****
67 #else
68 void *q;
69
70 ! if (size == 0) {
71 if (p)
72 free(p);
73 return NULL;
74 --- 121,127 ----
75 #else
76 void *q;
77
78 ! if (size <= 0) {
79 if (p)
80 free(p);
81 return NULL;
82 ***************
83 *** 140,147 ****
84 void *gmallocn(int nObjs, int objSize) {
85 int n;
86
87 n = nObjs * objSize;
88 ! if (objSize == 0 || n / objSize != nObjs) {
89 fprintf(stderr, "Bogus memory allocation size\n");
90 exit(1);
91 }
92 --- 141,151 ----
93 void *gmallocn(int nObjs, int objSize) {
94 int n;
95
96 + if (nObjs == 0) {
97 + return NULL;
98 + }
99 n = nObjs * objSize;
100 ! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
101 fprintf(stderr, "Bogus memory allocation size\n");
102 exit(1);
103 }
104 ***************
105 *** 151,158 ****
106 void *greallocn(void *p, int nObjs, int objSize) {
107 int n;
108
109 n = nObjs * objSize;
110 ! if (objSize == 0 || n / objSize != nObjs) {
111 fprintf(stderr, "Bogus memory allocation size\n");
112 exit(1);
113 }
114 --- 155,168 ----
115 void *greallocn(void *p, int nObjs, int objSize) {
116 int n;
117
118 + if (nObjs == 0) {
119 + if (p) {
120 + gfree(p);
121 + }
122 + return NULL;
123 + }
124 n = nObjs * objSize;
125 ! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
126 fprintf(stderr, "Bogus memory allocation size\n");
127 exit(1);
128 }
129 diff -cr xpdf-3.01.orig/xpdf/JBIG2Stream.cc xpdf-3.01/xpdf/JBIG2Stream.cc
130 *** xpdf-3.01.orig/xpdf/JBIG2Stream.cc Tue Aug 16 22:34:31 2005
131 --- xpdf-3.01/xpdf/JBIG2Stream.cc Tue Jan 17 17:29:46 2006
132 ***************
133 *** 13,18 ****
134 --- 13,19 ----
135 #endif
136
137 #include <stdlib.h>
138 + #include <limits.h>
139 #include "GList.h"
140 #include "Error.h"
141 #include "JArithmeticDecoder.h"
142 ***************
143 *** 681,686 ****
144 --- 682,691 ----
145 w = wA;
146 h = hA;
147 line = (wA + 7) >> 3;
148 + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
149 + data = NULL;
150 + return;
151 + }
152 // need to allocate one extra guard byte for use in combine()
153 data = (Guchar *)gmalloc(h * line + 1);
154 data[h * line] = 0;
155 ***************
156 *** 692,697 ****
157 --- 697,706 ----
158 w = bitmap->w;
159 h = bitmap->h;
160 line = bitmap->line;
161 + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
162 + data = NULL;
163 + return;
164 + }
165 // need to allocate one extra guard byte for use in combine()
166 data = (Guchar *)gmalloc(h * line + 1);
167 memcpy(data, bitmap->data, h * line);
168 ***************
169 *** 720,726 ****
170 }
171
172 void JBIG2Bitmap::expand(int newH, Guint pixel) {
173 ! if (newH <= h) {
174 return;
175 }
176 // need to allocate one extra guard byte for use in combine()
177 --- 729,735 ----
178 }
179
180 void JBIG2Bitmap::expand(int newH, Guint pixel) {
181 ! if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) {
182 return;
183 }
184 // need to allocate one extra guard byte for use in combine()
185 ***************
186 *** 2294,2299 ****
187 --- 2303,2316 ----
188 !readUWord(&stepX) || !readUWord(&stepY)) {
189 goto eofError;
190 }
191 + if (w == 0 || h == 0 || w >= INT_MAX / h) {
192 + error(getPos(), "Bad bitmap size in JBIG2 halftone segment");
193 + return;
194 + }
195 + if (gridH == 0 || gridW >= INT_MAX / gridH) {
196 + error(getPos(), "Bad grid size in JBIG2 halftone segment");
197 + return;
198 + }
199
200 // get pattern dictionary
201 if (nRefSegs != 1) {
202 diff -cr xpdf-3.01.orig/xpdf/JPXStream.cc xpdf-3.01/xpdf/JPXStream.cc
203 *** xpdf-3.01.orig/xpdf/JPXStream.cc Tue Aug 16 22:34:31 2005
204 --- xpdf-3.01/xpdf/JPXStream.cc Tue Jan 17 17:14:06 2006
205 ***************
206 *** 12,17 ****
207 --- 12,18 ----
208 #pragma implementation
209 #endif
210
211 + #include <limits.h>
212 #include "gmem.h"
213 #include "Error.h"
214 #include "JArithmeticDecoder.h"
215 ***************
216 *** 818,823 ****
217 --- 819,830 ----
218 / img.xTileSize;
219 img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
220 / img.yTileSize;
221 + // check for overflow before allocating memory
222 + if (img.nXTiles <= 0 || img.nYTiles <= 0 ||
223 + img.nXTiles >= INT_MAX / img.nYTiles) {
224 + error(getPos(), "Bad tile count in JPX SIZ marker segment");
225 + return gFalse;
226 + }
227 img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles,
228 sizeof(JPXTile));
229 for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
230 diff -cr xpdf-3.01.orig/xpdf/Stream.cc xpdf-3.01/xpdf/Stream.cc
231 *** xpdf-3.01.orig/xpdf/Stream.cc Tue Aug 16 22:34:31 2005
232 --- xpdf-3.01/xpdf/Stream.cc Tue Jan 17 17:31:52 2006
233 ***************
234 *** 15,20 ****
235 --- 15,21 ----
236 #include <stdio.h>
237 #include <stdlib.h>
238 #include <stddef.h>
239 + #include <limits.h>
240 #ifndef WIN32
241 #include <unistd.h>
242 #endif
243 ***************
244 *** 406,418 ****
245 --- 407,432 ----
246 width = widthA;
247 nComps = nCompsA;
248 nBits = nBitsA;
249 + predLine = NULL;
250 + ok = gFalse;
251
252 nVals = width * nComps;
253 + if (width <= 0 || nComps <= 0 || nBits <= 0 ||
254 + nComps >= INT_MAX / nBits ||
255 + width >= INT_MAX / nComps / nBits ||
256 + nVals * nBits + 7 < 0) {
257 + return;
258 + }
259 pixBytes = (nComps * nBits + 7) >> 3;
260 rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
261 + if (rowBytes <= 0) {
262 + return;
263 + }
264 predLine = (Guchar *)gmalloc(rowBytes);
265 memset(predLine, 0, rowBytes);
266 predIdx = rowBytes;
267 +
268 + ok = gTrue;
269 }
270
271 StreamPredictor::~StreamPredictor() {
272 ***************
273 *** 1004,1009 ****
274 --- 1018,1027 ----
275 FilterStream(strA) {
276 if (predictor != 1) {
277 pred = new StreamPredictor(this, predictor, columns, colors, bits);
278 + if (!pred->isOk()) {
279 + delete pred;
280 + pred = NULL;
281 + }
282 } else {
283 pred = NULL;
284 }
285 ***************
286 *** 1259,1264 ****
287 --- 1277,1285 ----
288 if (columns < 1) {
289 columns = 1;
290 }
291 + if (columns + 4 <= 0) {
292 + columns = INT_MAX - 4;
293 + }
294 rows = rowsA;
295 endOfBlock = endOfBlockA;
296 black = blackA;
297 ***************
298 *** 2899,2904 ****
299 --- 2920,2930 ----
300 height = read16();
301 width = read16();
302 numComps = str->getChar();
303 + if (numComps <= 0 || numComps > 4) {
304 + error(getPos(), "Bad number of components in DCT stream");
305 + numComps = 0;
306 + return gFalse;
307 + }
308 if (prec != 8) {
309 error(getPos(), "Bad DCT precision %d", prec);
310 return gFalse;
311 ***************
312 *** 2925,2930 ****
313 --- 2951,2961 ----
314 height = read16();
315 width = read16();
316 numComps = str->getChar();
317 + if (numComps <= 0 || numComps > 4) {
318 + error(getPos(), "Bad number of components in DCT stream");
319 + numComps = 0;
320 + return gFalse;
321 + }
322 if (prec != 8) {
323 error(getPos(), "Bad DCT precision %d", prec);
324 return gFalse;
325 ***************
326 *** 2947,2952 ****
327 --- 2978,2988 ----
328
329 length = read16() - 2;
330 scanInfo.numComps = str->getChar();
331 + if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
332 + error(getPos(), "Bad number of components in DCT stream");
333 + scanInfo.numComps = 0;
334 + return gFalse;
335 + }
336 --length;
337 if (length != 2 * scanInfo.numComps + 3) {
338 error(getPos(), "Bad DCT scan info block");
339 ***************
340 *** 3041,3046 ****
341 --- 3077,3083 ----
342 numACHuffTables = index+1;
343 tbl = &acHuffTables[index];
344 } else {
345 + index &= 0x0f;
346 if (index >= numDCHuffTables)
347 numDCHuffTables = index+1;
348 tbl = &dcHuffTables[index];
349 ***************
350 *** 3827,3832 ****
351 --- 3864,3873 ----
352 FilterStream(strA) {
353 if (predictor != 1) {
354 pred = new StreamPredictor(this, predictor, columns, colors, bits);
355 + if (!pred->isOk()) {
356 + delete pred;
357 + pred = NULL;
358 + }
359 } else {
360 pred = NULL;
361 }
362 diff -cr xpdf-3.01.orig/xpdf/Stream.h xpdf-3.01/xpdf/Stream.h
363 *** xpdf-3.01.orig/xpdf/Stream.h Tue Aug 16 22:34:31 2005
364 --- xpdf-3.01/xpdf/Stream.h Tue Jan 17 17:19:54 2006
365 ***************
366 *** 232,237 ****
367 --- 232,239 ----
368
369 ~StreamPredictor();
370
371 + GBool isOk() { return ok; }
372 +
373 int lookChar();
374 int getChar();
375
376 ***************
377 *** 249,254 ****
378 --- 251,257 ----
379 int rowBytes; // bytes per line
380 Guchar *predLine; // line buffer
381 int predIdx; // current index in predLine
382 + GBool ok;
383 };
384
385 //------------------------------------------------------------------------
386 ***************
387 *** 527,533 ****
388 short getWhiteCode();
389 short getBlackCode();
390 short lookBits(int n);
391 ! void eatBits(int n) { inputBits -= n; }
392 };
393
394 //------------------------------------------------------------------------
395 --- 530,536 ----
396 short getWhiteCode();
397 short getBlackCode();
398 short lookBits(int n);
399 ! void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; }
400 };
401
402 //------------------------------------------------------------------------
403 diff -cr xpdf-3.01.orig/splash/SplashXPathScanner.cc xpdf-3.01/splash/SplashXPathScanner.cc
404 *** xpdf-3.01.orig/splash/SplashXPathScanner.cc Tue Aug 16 22:34:31 2005
405 --- xpdf-3.01/splash/SplashXPathScanner.cc Wed Feb 1 17:01:14 2006
406 ***************
407 *** 186,192 ****
408 }
409
410 void SplashXPathScanner::computeIntersections(int y) {
411 ! SplashCoord ySegMin, ySegMax, xx0, xx1;
412 SplashXPathSeg *seg;
413 int i, j;
414
415 --- 186,192 ----
416 }
417
418 void SplashXPathScanner::computeIntersections(int y) {
419 ! SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1;
420 SplashXPathSeg *seg;
421 int i, j;
422
423 ***************
424 *** 236,254 ****
425 } else if (seg->flags & splashXPathVert) {
426 xx0 = xx1 = seg->x0;
427 } else {
428 ! if (ySegMin <= y) {
429 ! // intersection with top edge
430 ! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
431 } else {
432 ! // x coord of segment endpoint with min y coord
433 ! xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0;
434 }
435 ! if (ySegMax >= y + 1) {
436 ! // intersection with bottom edge
437 ! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
438 ! } else {
439 ! // x coord of segment endpoint with max y coord
440 ! xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1;
441 }
442 }
443 if (xx0 < xx1) {
444 --- 236,262 ----
445 } else if (seg->flags & splashXPathVert) {
446 xx0 = xx1 = seg->x0;
447 } else {
448 ! if (seg->x0 < seg->x1) {
449 ! xSegMin = seg->x0;
450 ! xSegMax = seg->x1;
451 } else {
452 ! xSegMin = seg->x1;
453 ! xSegMax = seg->x0;
454 }
455 ! // intersection with top edge
456 ! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
457 ! // intersection with bottom edge
458 ! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
459 ! // the segment may not actually extend to the top and/or bottom edges
460 ! if (xx0 < xSegMin) {
461 ! xx0 = xSegMin;
462 ! } else if (xx0 > xSegMax) {
463 ! xx0 = xSegMax;
464 ! }
465 ! if (xx1 < xSegMin) {
466 ! xx1 = xSegMin;
467 ! } else if (xx1 > xSegMax) {
468 ! xx1 = xSegMax;
469 }
470 }
471 if (xx0 < xx1) {
|
