Attachment 24191 Details for Bug 59963

kpdf-CESA-2004-007.diff

kpdf-CESA-2004-007.diff (text/x-diff), 1.50 KB, created by Thomas Biege on 2004-09-29 18:12:07 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Thomas Biege

Created: 2004-09-29 18:12:07 UTC

Size: 1.50 KB

patch

obsolete

>--- XRef.cc.orig	2004-09-17 23:54:38.000000000 -0700
>+++ XRef.cc	2004-09-18 00:16:56.000000000 -0700
>@@ -76,6 +76,12 @@
>
>   // trailer is ok - read the xref table
>   } else {
>+    if ((size*sizeof(XRefEntry))/sizeof(XRefEntry) != size) {
>+      error(-1, "Invalid 'size' inside xref table.");
>+      ok = gFalse;
>+      errCode = errDamaged;
>+      return;
>+    }
>     entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
>     for (i = 0; i < size; ++i) {
>       entries[i].offset = 0xffffffff;
>@@ -415,6 +421,10 @@
>            if (!strncmp(p, "obj", 3)) {
>              if (num >= size) {
>                newSize = (num + 1 + 255) & ~255;
>+               if ((newSize*sizeof(XRefEntry))/sizeof(XRefEntry) != newSize) {
>+                 error(-1, "Invalid 'obj' parameters.");
>+                 return gFalse;
>+               }
>                entries = (XRefEntry *)
>                            grealloc(entries, newSize * sizeof(XRefEntry));
>                for (i = size; i < newSize; ++i) {
>--- Catalog.cc.orig	2004-09-18 00:14:15.000000000 -0700
>+++ Catalog.cc	2004-09-18 00:21:16.000000000 -0700
>@@ -63,6 +63,12 @@
>   }
>   pagesSize = numPages0 = obj.getInt();
>   obj.free();
>+  if ((pagesSize*sizeof(Page *))/sizeof(Page *) != pagesSize ||
>+      pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
>+    error(-1, "Invalid 'pagesSize'");
>+    ok = gFalse;
>+    return;
>+  }
>   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
>   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
>   for (i = 0; i < pagesSize; ++i) {

Actions: View

Attachments on bug 59963: 23923 | 24191 | 24366 | 24854