[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: KDE_3_3_BRANCH: kdegraphics/kpdf/xpdf
From: Stephan Kulow <coolo () kde ! org>
Date: 2004-10-12 19:41:07
Message-ID: 20041012194107.A3DA716C39 () office ! kde ! org
[Download RAW message or body]
CVS commit by coolo:
patch applied to the tar ball
M +85 -49 XRef.cc 1.3.4.2
--- kdegraphics/kpdf/xpdf/XRef.cc #1.3.4.1:1.3.4.2
@@ -97,5 +97,5 @@ ObjectStream::ObjectStream(XRef *xref, i
nObjects = obj1.getInt();
obj1.free();
- if (nObjects == 0) {
+ if (nObjects <= 0) {
goto err1;
}
@@ -107,4 +107,7 @@ ObjectStream::ObjectStream(XRef *xref, i
first = obj1.getInt();
obj1.free();
+ if (first < 0) {
+ goto err1;
+ }
objs = new Object[nObjects];
@@ -131,4 +134,10 @@ ObjectStream::ObjectStream(XRef *xref, i
obj1.free();
obj2.free();
+ if (objNums[i] < 0 || offsets[i] < 0 ||
+ (i > 0 && offsets[i] < offsets[i-1])) {
+ delete parser;
+ gfree(offsets);
+ goto err1;
+ }
}
while (str->getChar() != EOF) ;
@@ -370,8 +379,14 @@ GBool XRef::readXRefTable(Parser *parser
n = obj.getInt();
obj.free();
+ if (first < 0 || n < 0 || first + n < 0) {
+ goto err1;
+ }
if (first + n > size) {
for (newSize = size ? 2 * size : 1024;
- first + n > newSize;
+ first + n > newSize && newSize > 0;
newSize <<= 1) ;
+ if (newSize < 0) {
+ goto err1;
+ }
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
@@ -444,5 +459,5 @@ GBool XRef::readXRefTable(Parser *parser
// check for an 'XRefStm' key
if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) {
- pos2 = obj2.getInt();
+ pos2 = (Guint)obj2.getInt();
readXRef(&pos2);
if (!ok) {
@@ -475,4 +490,7 @@ GBool XRef::readXRefStream(Stream *xrefS
newSize = obj.getInt();
obj.free();
+ if (newSize < 0) {
+ goto err1;
+ }
if (newSize > size) {
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
@@ -495,4 +513,7 @@ GBool XRef::readXRefStream(Stream *xrefS
w[i] = obj2.getInt();
obj2.free();
+ if (w[i] < 0 || w[i] > 4) {
+ goto err1;
+ }
}
obj.free();
@@ -514,5 +535,6 @@ GBool XRef::readXRefStream(Stream *xrefS
n = obj.getInt();
obj.free();
- if (!readXRefStreamSection(xrefStr, w, first, n)) {
+ if (first < 0 || n < 0 ||
+ !readXRefStreamSection(xrefStr, w, first, n)) {
idx.free();
goto err0;
@@ -520,5 +542,5 @@ GBool XRef::readXRefStream(Stream *xrefS
}
} else {
- if (!readXRefStreamSection(xrefStr, w, 0, size)) {
+ if (!readXRefStreamSection(xrefStr, w, 0, newSize)) {
idx.free();
goto err0;
@@ -552,8 +574,14 @@ GBool XRef::readXRefStreamSection(Stream
int type, gen, c, newSize, i, j;
+ if (first + n < 0) {
+ return gFalse;
+ }
if (first + n > size) {
for (newSize = size ? 2 * size : 1024;
- first + n > newSize;
+ first + n > newSize && newSize > 0;
newSize <<= 1) ;
+ if (newSize < 0) {
+ return gFalse;
+ }
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
@@ -586,4 +614,5 @@ GBool XRef::readXRefStreamSection(Stream
gen = (gen << 8) + c;
}
+ if (entries[i].offset == 0xffffffff) {
switch (type) {
case 0:
@@ -606,4 +635,5 @@ GBool XRef::readXRefStreamSection(Stream
}
}
+ }
return gTrue;
@@ -665,4 +695,5 @@ GBool XRef::constructXRef() {
} else if (isdigit(*p)) {
num = atoi(p);
+ if (num > 0) {
do {
++p;
@@ -684,4 +715,8 @@ GBool XRef::constructXRef() {
if (num >= size) {
newSize = (num + 1 + 255) & ~255;
+ if (newSize < 0) {
+ error(-1, "Bad object number");
+ return gFalse;
+ }
entries = (XRefEntry *)
grealloc(entries, newSize * sizeof(XRefEntry));
@@ -702,4 +737,5 @@ GBool XRef::constructXRef() {
}
}
+ }
} else if (!strncmp(p, "endstream", 9)) {
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic