Attachment 60265 Details for Bug 137156

[patch] Overflows found by Chris Evans

chris-evans-overflows.diff (text/plain), 1.43 KB, created by Dirk Mueller on 2005-12-12 09:59:31 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Dirk Mueller

Created: 2005-12-12 09:59:31 UTC

Size: 1.43 KB

patch

obsolete

>--- xpdf/JBIG2Stream.cc	(revision 487837)
>+++ xpdf/JBIG2Stream.cc	(working copy)
>@@ -7,6 +7,7 @@
> //========================================================================
> 
> #include <aconf.h>
>+#include <limits.h>
> 
> #ifdef USE_GCC_PRAGMAS
> #pragma implementation
>@@ -2305,6 +2306,11 @@ void JBIG2Stream::readHalftoneRegionSeg(
>     error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
>     return;
>   }
>+  if ( gridW < 0 || gridH < 0 || gridW >= INT_MAX / gridH || gridH >= INT_MAX / gridW) {
>+    error(getPos(), "Bad size in JBIG2 halftone segment");
>+    return;
>+  }
>+
>   patternDict = (JBIG2PatternDict *)seg;
>   bpp = 0;
>   i = 1;
>--- xpdf/Stream.cc	(revision 487837)
>+++ xpdf/Stream.cc	(working copy)
>@@ -1277,7 +1277,7 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
>   endOfLine = endOfLineA;
>   byteAlign = byteAlignA;
>   columns = columnsA;
>-  if (columns < 1) {
>+  if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) {
>     columns = 1;
>   }
>   rows = rowsA;
>@@ -3066,12 +3066,12 @@ GBool DCTStream::readHuffmanTables() {
>   while (length > 0) {
>     index = str->getChar();
>     --length;
>-    if ((index & 0x0f) >= 4) {
>+    if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
>       error(getPos(), "Bad DCT Huffman table");
>       return gFalse;
>     }
>     if (index & 0x10) {
>-      index &= 0x0f;
>+      index &= 0x03;
>       if (index >= numACHuffTables)
> 	numACHuffTables = index+1;
>       tbl = &acHuffTables[index];

Actions: View | Diff

Attachments on bug 137156: 59932 | 59935 | 60106 | 60190 | 60194 | 60264 | 60265 | 60405 | 60994 | 60995 | 60998 | 62964