1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
--- libs/xpdf/xpdf/XRef.cc.orig Thu Jan 6 10:31:51 2005
+++ libs/xpdf/xpdf/XRef.cc Thu Jan 6 10:30:39 2005
@@ -28,6 +28,7 @@
#include "Error.h"
#include "ErrorCodes.h"
#include "XRef.h"
+#include <limits.h>
//------------------------------------------------------------------------
@@ -388,6 +389,10 @@
if (newSize < 0) {
goto err1;
}
+ if ( newSize >= INT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'newSize' inside xref table.");
+ goto err1;
+ }
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
entries[i].offset = 0xffffffff;
@@ -492,6 +497,10 @@
if (newSize < 0) {
goto err1;
}
+ if (newSize >= INT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'newSize'");
+ goto err1;
+ }
if (newSize > size) {
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
@@ -583,6 +592,10 @@
if (newSize < 0) {
return gFalse;
}
+ if (newSize >= INT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'newSize'");
+ return gFalse;
+ }
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
entries[i].offset = 0xffffffff;
@@ -741,6 +754,10 @@
} else if (!strncmp(p, "endstream", 9)) {
if (streamEndsLen == streamEndsSize) {
streamEndsSize += 64;
+ if (streamEndsSize >= INT_MAX/sizeof(int)) {
+ error(-1, "Invalid 'endstream' parameter.");
+ return gFalse;
+ }
streamEnds = (Guint *)grealloc(streamEnds,
streamEndsSize * sizeof(int));
}
|
