[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: KOFFICE_1_3_BRANCH: koffice/filters/kword/pdf/xpdf/xpdf
From: Nicolas Goutte <nicolasg () snafu ! de>
Date: 2004-10-30 16:07:00
Message-ID: 20041030160700.2EC3B16B79 () office ! kde ! org
[Download RAW message or body]
CVS commit by goutte:
SECURITY: strong fix for xpdf integer overflow
(without signed/unsigned mismatch; backport)
M +5 -5 Catalog.cc 1.1.2.3
M +5 -5 XRef.cc 1.1.2.3
--- koffice/filters/kword/pdf/xpdf/xpdf/Catalog.cc #1.1.2.2:1.1.2.3
@@ -13,6 +13,6 @@
#endif
-#include <stddef.h>
#include <limits.h>
+#include <stddef.h>
#include "gmem.h"
#include "Object.h"
@@ -65,6 +65,6 @@ Catalog::Catalog(XRef *xrefA) {
pagesSize = numPages0 = obj.getInt();
obj.free();
- if ((pagesSize >= INT_MAX / sizeof(Page *)) ||
- (pagesSize >= INT_MAX / sizeof(Ref))) {
+ if (pagesSize >= INT_MAX / (signed) sizeof(Page *) ||
+ pagesSize >= INT_MAX / (signed) sizeof(Ref)) {
error(-1, "Invalid 'pagesSize'");
ok = gFalse;
@@ -198,6 +198,6 @@ int Catalog::readPageTree(Dict *pagesDic
if (start >= pagesSize) {
pagesSize += 32;
- if ((pagesSize >= INT_MAX / sizeof(Page *)) ||
- (pagesSize >= INT_MAX / sizeof(Ref))) {
+ if (pagesSize >= INT_MAX / (signed) sizeof(Page *) ||
+ pagesSize >= INT_MAX / (signed) sizeof(Ref)) {
error(-1, "Invalid 'pagesSize' parameter.");
goto err3;
--- koffice/filters/kword/pdf/xpdf/xpdf/XRef.cc #1.1.2.2:1.1.2.3
@@ -13,9 +13,9 @@
#endif
+#include <limits.h>
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
#include <ctype.h>
-#include <limits.h>
#include "gmem.h"
#include "Object.h"
@@ -78,5 +78,5 @@ XRef::XRef(BaseStream *strA, GString *ow
// trailer is ok - read the xref table
} else {
- if (size >= INT_MAX / sizeof(XRefEntry)) {
+ if (size >= INT_MAX / (signed) sizeof(XRefEntry)) {
error(-1, "Invalid 'size' inside xref table.");
ok = gFalse;
@@ -275,5 +275,5 @@ GBool XRef::readXRef(Guint *pos) {
if (first + n > size) {
newSize = size + 256;
- if (newSize >= INT_MAX / sizeof(XRefEntry)) {
+ if (newSize >= INT_MAX / (signed) sizeof(XRefEntry)) {
error(-1, "Invalid 'newSize'");
goto err2;
@@ -422,5 +422,5 @@ GBool XRef::constructXRef() {
if (num >= size) {
newSize = (num + 1 + 255) & ~255;
- if (newSize >= INT_MAX / sizeof(XRefEntry)) {
+ if (newSize >= INT_MAX / (signed) sizeof(XRefEntry)) {
error(-1, "Invalid 'obj' parameters.");
return gFalse;
@@ -447,5 +447,5 @@ GBool XRef::constructXRef() {
if (streamEndsLen == streamEndsSize) {
streamEndsSize += 64;
- if (streamEndsSize >= INT_MAX / sizeof(int)) {
+ if (streamEndsSize >= INT_MAX / (signed) sizeof(int)) {
error(-1, "Invalid 'endstream' parameter.");
return gFalse;
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic