Attachment #24853 for bug #58082

View | Details | Raw Unified | Return to bug 58082
Collapse All | Expand All

Lines 107-112 Link Here

(-)XRef.cc.orig (+24 lines)
107	first = obj1.getInt();	107	first = obj1.getInt();
108	obj1.free();	108	obj1.free();
109		109
		110	if (nObjects*sizeof(int)/sizeof(int) != nObjects) {
		111	error(-1, "Invalid 'nObjects'");
		112	goto err1;
		113	}
110	objs = new Object[nObjects];	114	objs = new Object[nObjects];
111	objNums = (int )gmalloc(nObjects sizeof(int));	115	objNums = (int )gmalloc(nObjects sizeof(int));
112	offsets = (int )gmalloc(nObjects sizeof(int));	116	offsets = (int )gmalloc(nObjects sizeof(int));
Lines 373-378 Link Here
373	for (newSize = size ? 2 * size : 1024;	377	for (newSize = size ? 2 * size : 1024;
374	first + n > newSize;	378	first + n > newSize;
375	newSize <<= 1) ;	379	newSize <<= 1) ;
		380	if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
		381	error(-1, "Invalid 'obj' parameters'");
		382	return gFalse;
		383	}
376	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));	384	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));
377	for (i = size; i < newSize; ++i) {	385	for (i = size; i < newSize; ++i) {
378	entries[i].offset = 0xffffffff;	386	entries[i].offset = 0xffffffff;
Lines 475-480 Link Here
475	newSize = obj.getInt();	483	newSize = obj.getInt();
476	obj.free();	484	obj.free();
477	if (newSize > size) {	485	if (newSize > size) {
		486	if (newSize * sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
		487	error(-1, "Invalid 'size' parameter.");
		488	return gFalse;
		489	}
478	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));	490	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));
479	for (i = size; i < newSize; ++i) {	491	for (i = size; i < newSize; ++i) {
480	entries[i].offset = 0xffffffff;	492	entries[i].offset = 0xffffffff;
Lines 555-560 Link Here
555	for (newSize = size ? 2 * size : 1024;	567	for (newSize = size ? 2 * size : 1024;
556	first + n > newSize;	568	first + n > newSize;
557	newSize <<= 1) ;	569	newSize <<= 1) ;
		570	if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
		571	error(-1, "Invalid 'size' inside xref table.");
		572	return gFalse;
		573	}
558	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));	574	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));
559	for (i = size; i < newSize; ++i) {	575	for (i = size; i < newSize; ++i) {
560	entries[i].offset = 0xffffffff;	576	entries[i].offset = 0xffffffff;
Lines 683-688 Link Here
683	if (!strncmp(p, "obj", 3)) {	699	if (!strncmp(p, "obj", 3)) {
684	if (num >= size) {	700	if (num >= size) {
685	newSize = (num + 1 + 255) & ~255;	701	newSize = (num + 1 + 255) & ~255;
		702	if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
		703	error(-1, "Invalid 'obj' parameters.");
		704	return gFalse;
		705	}
686	entries = (XRefEntry *)	706	entries = (XRefEntry *)
687	grealloc(entries, newSize * sizeof(XRefEntry));	707	grealloc(entries, newSize * sizeof(XRefEntry));
688	for (i = size; i < newSize; ++i) {	708	for (i = size; i < newSize; ++i) {
Lines 705-710 Link Here
705	} else if (!strncmp(p, "endstream", 9)) {	725	} else if (!strncmp(p, "endstream", 9)) {
706	if (streamEndsLen == streamEndsSize) {	726	if (streamEndsLen == streamEndsSize) {
707	streamEndsSize += 64;	727	streamEndsSize += 64;
		728	if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) {
		729	error(-1, "Invalid 'endstream' parameter.");
		730	return gFalse;
		731	}
708	streamEnds = (Guint *)grealloc(streamEnds,	732	streamEnds = (Guint *)grealloc(streamEnds,
709	streamEndsSize * sizeof(int));	733	streamEndsSize * sizeof(int));
710	}	734	}

Lines 64-69 Link Here

(-)Catalog.cc.orig (+13 lines)
64	}	64	}
65	pagesSize = numPages0 = (int)obj.getNum();	65	pagesSize = numPages0 = (int)obj.getNum();
66	obj.free();	66	obj.free();
		67	// The gcc doesnt optimize this away, so this check is ok,
		68	// even if it looks like a pagesSize != pagesSize check
		69	if (pagesSizesizeof(Page )/sizeof(Page *) != pagesSize \|\|
		70	pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
		71	error(-1, "Invalid 'pagesSize'");
		72	ok = gFalse;
		73	return;
		74	}
		75
67	pages = (Page *)gmalloc(pagesSize sizeof(Page *));	76	pages = (Page *)gmalloc(pagesSize sizeof(Page *));
68	pageRefs = (Ref )gmalloc(pagesSize sizeof(Ref));	77	pageRefs = (Ref )gmalloc(pagesSize sizeof(Ref));
69	for (i = 0; i < pagesSize; ++i) {	78	for (i = 0; i < pagesSize; ++i) {
Lines 191-196 Link Here
191	}	200	}
192	if (start >= pagesSize) {	201	if (start >= pagesSize) {
193	pagesSize += 32;	202	pagesSize += 32;
		203	if (pagesSizesizeof(Page )/sizeof(Page *) != pagesSize) {
		204	error(-1, "Invalid 'pagesSize' parameter.");
		205	goto err3;
		206	}
194	pages = (Page *)grealloc(pages, pagesSize sizeof(Page *));	207	pages = (Page *)grealloc(pages, pagesSize sizeof(Page *));
195	pageRefs = (Ref )grealloc(pageRefs, pagesSize sizeof(Ref));	208	pageRefs = (Ref )grealloc(pageRefs, pagesSize sizeof(Ref));
196	for (j = pagesSize - 32; j < pagesSize; ++j) {	209	for (j = pagesSize - 32; j < pagesSize; ++j) {

Return to bug 58082