From kde-commits Fri Oct 22 18:09:53 2004 From: Dirk Mueller Date: Fri, 22 Oct 2004 18:09:53 +0000 To: kde-commits Subject: KDE_3_3_BRANCH: kdegraphics/kpdf/xpdf Message-Id: <20041022180953.0AFD416C3E () office ! kde ! org> X-MARC-Message: https://marc.info/?l=kde-commits&m=109846862900300 CVS commit by mueller: fix integer overflows, patch by Than Ngo M +14 -0 Catalog.cc 1.3.4.2 M +26 -0 XRef.cc 1.3.4.3 --- kdegraphics/kpdf/xpdf/Catalog.cc #1.3.4.1:1.3.4.2 @@ -65,4 +65,13 @@ Catalog::Catalog(XRef *xrefA) { pagesSize = numPages0 = (int)obj.getNum(); obj.free(); + // The gcc doesnt optimize this away, so this check is ok, + // even if it looks like a pagesSize != pagesSize check + if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { + error(-1, "Invalid 'pagesSize'"); + ok = gFalse; + return; + } + pages = (Page **)gmalloc(pagesSize * sizeof(Page *)); pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref)); @@ -192,4 +201,9 @@ int Catalog::readPageTree(Dict *pagesDic if (start >= pagesSize) { pagesSize += 32; + if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { + error(-1, "Invalid 'pagesSize' parameter."); + goto err3; + } pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *)); pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref)); --- kdegraphics/kpdf/xpdf/XRef.cc #1.3.4.2:1.3.4.3 @@ -111,4 +111,9 @@ ObjectStream::ObjectStream(XRef *xref, i } + if (nObjects*sizeof(int)/sizeof(int) != nObjects) { + error(-1, "Invalid 'nObjects'"); + goto err1; + } + objs = new Object[nObjects]; objNums = (int *)gmalloc(nObjects * sizeof(int)); @@ -389,4 +394,9 @@ GBool XRef::readXRefTable(Parser *parser goto err1; } + if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + error(-1, "Invalid 'obj' parameters'"); + goto err1; + } + entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { @@ -494,4 +504,8 @@ GBool XRef::readXRefStream(Stream *xrefS } if (newSize > size) { + if (newSize * sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + error(-1, "Invalid 'size' parameter."); + return gFalse; + } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { @@ -584,4 +598,8 @@ GBool XRef::readXRefStreamSection(Stream return gFalse; } + if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + error(-1, "Invalid 'size' inside xref table."); + return gFalse; + } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { @@ -719,4 +737,8 @@ GBool XRef::constructXRef() { return gFalse; } + if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + error(-1, "Invalid 'obj' parameters."); + return gFalse; + } entries = (XRefEntry *) grealloc(entries, newSize * sizeof(XRefEntry)); @@ -742,4 +764,8 @@ GBool XRef::constructXRef() { if (streamEndsLen == streamEndsSize) { streamEndsSize += 64; + if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) { + error(-1, "Invalid 'endstream' parameter."); + return gFalse; + } streamEnds = (Guint *)grealloc(streamEnds, streamEndsSize * sizeof(int));