[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: KDE_3_3_BRANCH: kdegraphics/kpdf/xpdf
From: Dirk Mueller <mueller () kde ! org>
Date: 2004-10-22 18:09:53
Message-ID: 20041022180953.0AFD416C3E () office ! kde ! org
[Download RAW message or body]
CVS commit by mueller:
fix integer overflows, patch by Than Ngo
M +14 -0 Catalog.cc 1.3.4.2
M +26 -0 XRef.cc 1.3.4.3
--- kdegraphics/kpdf/xpdf/Catalog.cc #1.3.4.1:1.3.4.2
@@ -65,4 +65,13 @@ Catalog::Catalog(XRef *xrefA) {
pagesSize = numPages0 = (int)obj.getNum();
obj.free();
+ // The gcc doesnt optimize this away, so this check is ok,
+ // even if it looks like a pagesSize != pagesSize check
+ if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
+ pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+ error(-1, "Invalid 'pagesSize'");
+ ok = gFalse;
+ return;
+ }
+
pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
@@ -192,4 +201,9 @@ int Catalog::readPageTree(Dict *pagesDic
if (start >= pagesSize) {
pagesSize += 32;
+ if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
+ pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }
pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
--- kdegraphics/kpdf/xpdf/XRef.cc #1.3.4.2:1.3.4.3
@@ -111,4 +111,9 @@ ObjectStream::ObjectStream(XRef *xref, i
}
+ if (nObjects*sizeof(int)/sizeof(int) != nObjects) {
+ error(-1, "Invalid 'nObjects'");
+ goto err1;
+ }
+
objs = new Object[nObjects];
objNums = (int *)gmalloc(nObjects * sizeof(int));
@@ -389,4 +394,9 @@ GBool XRef::readXRefTable(Parser *parser
goto err1;
}
+ if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+ error(-1, "Invalid 'obj' parameters'");
+ goto err1;
+ }
+
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
@@ -494,4 +504,8 @@ GBool XRef::readXRefStream(Stream *xrefS
}
if (newSize > size) {
+ if (newSize * sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+ error(-1, "Invalid 'size' parameter.");
+ return gFalse;
+ }
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
@@ -584,4 +598,8 @@ GBool XRef::readXRefStreamSection(Stream
return gFalse;
}
+ if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+ error(-1, "Invalid 'size' inside xref table.");
+ return gFalse;
+ }
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
@@ -719,4 +737,8 @@ GBool XRef::constructXRef() {
return gFalse;
}
+ if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+ error(-1, "Invalid 'obj' parameters.");
+ return gFalse;
+ }
entries = (XRefEntry *)
grealloc(entries, newSize * sizeof(XRefEntry));
@@ -742,4 +764,8 @@ GBool XRef::constructXRef() {
if (streamEndsLen == streamEndsSize) {
streamEndsSize += 64;
+ if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) {
+ error(-1, "Invalid 'endstream' parameter.");
+ return gFalse;
+ }
streamEnds = (Guint *)grealloc(streamEnds,
streamEndsSize * sizeof(int));
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic