'KOFFICE_1_3_BRANCH: koffice/filters/kword/pdf/xpdf/xpdf'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    KOFFICE_1_3_BRANCH: koffice/filters/kword/pdf/xpdf/xpdf
From:       Nicolas Goutte <nicolasg () snafu ! de>
Date:       2004-10-30 16:07:00
Message-ID: 20041030160700.2EC3B16B79 () office ! kde ! org
[Download RAW message or body]

CVS commit by goutte: 

SECURITY: strong fix for xpdf integer overflow
(without signed/unsigned mismatch; backport)


  M +5 -5      Catalog.cc   1.1.2.3
  M +5 -5      XRef.cc   1.1.2.3


--- koffice/filters/kword/pdf/xpdf/xpdf/Catalog.cc  #1.1.2.2:1.1.2.3
@@ -13,6 +13,6 @@
 #endif
 
-#include <stddef.h>
 #include <limits.h>
+#include <stddef.h>
 #include "gmem.h"
 #include "Object.h"
@@ -65,6 +65,6 @@ Catalog::Catalog(XRef *xrefA) {
   pagesSize = numPages0 = obj.getInt();
   obj.free();
-  if ((pagesSize >= INT_MAX / sizeof(Page *)) ||
-      (pagesSize >= INT_MAX / sizeof(Ref))) {
+  if (pagesSize >= INT_MAX / (signed) sizeof(Page *) ||
+      pagesSize >= INT_MAX / (signed) sizeof(Ref)) {
     error(-1, "Invalid 'pagesSize'");
     ok = gFalse;
@@ -198,6 +198,6 @@ int Catalog::readPageTree(Dict *pagesDic
       if (start >= pagesSize) {
         pagesSize += 32;
-        if ((pagesSize >= INT_MAX / sizeof(Page *)) ||
-            (pagesSize >= INT_MAX / sizeof(Ref))) {
+        if (pagesSize >= INT_MAX / (signed) sizeof(Page *) ||
+            pagesSize >= INT_MAX / (signed) sizeof(Ref)) {
           error(-1, "Invalid 'pagesSize' parameter.");
           goto err3;

--- koffice/filters/kword/pdf/xpdf/xpdf/XRef.cc  #1.1.2.2:1.1.2.3
@@ -13,9 +13,9 @@
 #endif
 
+#include <limits.h>
 #include <stdlib.h>
 #include <stddef.h>
 #include <string.h>
 #include <ctype.h>
-#include <limits.h>
 #include "gmem.h"
 #include "Object.h"
@@ -78,5 +78,5 @@ XRef::XRef(BaseStream *strA, GString *ow
   // trailer is ok - read the xref table
   } else {
-    if (size >= INT_MAX / sizeof(XRefEntry)) {
+    if (size >= INT_MAX / (signed) sizeof(XRefEntry)) {
       error(-1, "Invalid 'size' inside xref table.");
       ok = gFalse;
@@ -275,5 +275,5 @@ GBool XRef::readXRef(Guint *pos) {
     if (first + n > size) {
       newSize = size + 256;
-      if (newSize >= INT_MAX / sizeof(XRefEntry)) {
+      if (newSize >= INT_MAX / (signed) sizeof(XRefEntry)) {
         error(-1, "Invalid 'newSize'");
         goto err2;
@@ -422,5 +422,5 @@ GBool XRef::constructXRef() {
               if (num >= size) {
                 newSize = (num + 1 + 255) & ~255;
-                if (newSize >= INT_MAX / sizeof(XRefEntry)) {
+                if (newSize >= INT_MAX / (signed) sizeof(XRefEntry)) {
                   error(-1, "Invalid 'obj' parameters.");
                   return gFalse;
@@ -447,5 +447,5 @@ GBool XRef::constructXRef() {
       if (streamEndsLen == streamEndsSize) {
         streamEndsSize += 64;
-        if (streamEndsSize >= INT_MAX / sizeof(int)) {
+        if (streamEndsSize >= INT_MAX / (signed) sizeof(int)) {
           error(-1, "Invalid 'endstream' parameter.");
           return gFalse;


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic