Attachment 23923 Details for Bug 59963

[patch] The patch for the issues in the advisory

xpdf-CESA-2004-007.diff (text/plain), 1.41 KB, created by Sebastian Krahmer on 2004-09-24 17:15:53 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Sebastian Krahmer

Created: 2004-09-24 17:15:53 UTC

Size: 1.41 KB

patch

obsolete

>--- XRef.cc.orig	2004-09-17 23:54:38.000000000 -0700
>+++ XRef.cc	2004-09-18 00:16:56.000000000 -0700
>@@ -76,6 +76,12 @@
> 
>   // trailer is ok - read the xref table
>   } else {
>+    if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
>+      error(-1, "Invalid 'size' inside xref table.");
>+      ok = gFalse;
>+      errCode = errDamaged;
>+      return;
>+    }
>     entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
>     for (i = 0; i < size; ++i) {
>       entries[i].offset = 0xffffffff;
>@@ -410,6 +416,10 @@
> 	    if (!strncmp(p, "obj", 3)) {
> 	      if (num >= size) {
> 		newSize = (num + 1 + 255) & ~255;
>+	        if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
>+	          error(-1, "Invalid 'obj' parameters.");
>+	          return gFalse;
>+	        }
> 		entries = (XRefEntry *)
> 		            grealloc(entries, newSize * sizeof(XRefEntry));
> 		for (i = size; i < newSize; ++i) {
>--- Catalog.cc.orig	2004-09-18 00:14:15.000000000 -0700
>+++ Catalog.cc	2004-09-18 00:21:16.000000000 -0700
>@@ -63,6 +63,12 @@
>   }
>   pagesSize = numPages0 = obj.getInt();
>   obj.free();
>+  if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
>+      pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
>+    error(-1, "Invalid 'pagesSize'");
>+    ok = gFalse;
>+    return;
>+  }
>   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
>   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
>   for (i = 0; i < pagesSize; ++i) {

Actions: View | Diff

Attachments on bug 59963: 23923 | 24191 | 24366 | 24854