CVS commit by coolo: patch applied to the tar ball M +85 -49 XRef.cc 1.3.4.2 --- kdegraphics/kpdf/xpdf/XRef.cc #1.3.4.1:1.3.4.2 @@ -97,5 +97,5 @@ ObjectStream::ObjectStream(XRef *xref, i nObjects = obj1.getInt(); obj1.free(); - if (nObjects == 0) { + if (nObjects <= 0) { goto err1; } @@ -107,4 +107,7 @@ ObjectStream::ObjectStream(XRef *xref, i first = obj1.getInt(); obj1.free(); + if (first < 0) { + goto err1; + } objs = new Object[nObjects]; @@ -131,4 +134,10 @@ ObjectStream::ObjectStream(XRef *xref, i obj1.free(); obj2.free(); + if (objNums[i] < 0 || offsets[i] < 0 || + (i > 0 && offsets[i] < offsets[i-1])) { + delete parser; + gfree(offsets); + goto err1; + } } while (str->getChar() != EOF) ; @@ -370,8 +379,14 @@ GBool XRef::readXRefTable(Parser *parser n = obj.getInt(); obj.free(); + if (first < 0 || n < 0 || first + n < 0) { + goto err1; + } if (first + n > size) { for (newSize = size ? 2 * size : 1024; - first + n > newSize; + first + n > newSize && newSize > 0; newSize <<= 1) ; + if (newSize < 0) { + goto err1; + } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { @@ -444,5 +459,5 @@ GBool XRef::readXRefTable(Parser *parser // check for an 'XRefStm' key if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) { - pos2 = obj2.getInt(); + pos2 = (Guint)obj2.getInt(); readXRef(&pos2); if (!ok) { @@ -475,4 +490,7 @@ GBool XRef::readXRefStream(Stream *xrefS newSize = obj.getInt(); obj.free(); + if (newSize < 0) { + goto err1; + } if (newSize > size) { entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); @@ -495,4 +513,7 @@ GBool XRef::readXRefStream(Stream *xrefS w[i] = obj2.getInt(); obj2.free(); + if (w[i] < 0 || w[i] > 4) { + goto err1; + } } obj.free(); @@ -514,5 +535,6 @@ GBool XRef::readXRefStream(Stream *xrefS n = obj.getInt(); obj.free(); - if (!readXRefStreamSection(xrefStr, w, first, n)) { + if (first < 0 || n < 0 || + !readXRefStreamSection(xrefStr, w, first, n)) { idx.free(); goto err0; @@ -520,5 +542,5 @@ GBool XRef::readXRefStream(Stream *xrefS } } else { - if (!readXRefStreamSection(xrefStr, w, 0, size)) { + if (!readXRefStreamSection(xrefStr, w, 0, newSize)) { idx.free(); goto err0; @@ -552,8 +574,14 @@ GBool XRef::readXRefStreamSection(Stream int type, gen, c, newSize, i, j; + if (first + n < 0) { + return gFalse; + } if (first + n > size) { for (newSize = size ? 2 * size : 1024; - first + n > newSize; + first + n > newSize && newSize > 0; newSize <<= 1) ; + if (newSize < 0) { + return gFalse; + } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { @@ -586,4 +614,5 @@ GBool XRef::readXRefStreamSection(Stream gen = (gen << 8) + c; } + if (entries[i].offset == 0xffffffff) { switch (type) { case 0: @@ -606,4 +635,5 @@ GBool XRef::readXRefStreamSection(Stream } } + } return gTrue; @@ -665,4 +695,5 @@ GBool XRef::constructXRef() { } else if (isdigit(*p)) { num = atoi(p); + if (num > 0) { do { ++p; @@ -684,4 +715,8 @@ GBool XRef::constructXRef() { if (num >= size) { newSize = (num + 1 + 255) & ~255; + if (newSize < 0) { + error(-1, "Bad object number"); + return gFalse; + } entries = (XRefEntry *) grealloc(entries, newSize * sizeof(XRefEntry)); @@ -702,4 +737,5 @@ GBool XRef::constructXRef() { } } + } } else if (!strncmp(p, "endstream", 9)) {