Attachment 60405 Details for Bug 137156

[patch] new patch for overflows found by Chris evans and similiar ones

new-xpdf-checks.diff (text/plain), 3.07 KB, created by Dirk Mueller on 2005-12-13 13:04:31 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Dirk Mueller

Created: 2005-12-13 13:04:31 UTC

Size: 3.07 KB

patch

obsolete

>Index: JBIG2Stream.cc
>===================================================================
>--- JBIG2Stream.cc	(revision 488119)
>+++ JBIG2Stream.cc	(working copy)
>@@ -7,6 +7,7 @@
> //========================================================================
> 
> #include <aconf.h>
>+#include <limits.h>
> 
> #ifdef USE_GCC_PRAGMAS
> #pragma implementation
>@@ -681,9 +682,15 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, 
>   w = wA;
>   h = hA;
>   line = (wA + 7) >> 3;
>-  // need to allocate one extra guard byte for use in combine()
>-  data = (Guchar *)gmalloc(h * line + 1);
>-  data[h * line] = 0;
>+
>+  if (h < 0 || line <= 0 || h >= INT_MAX / line) {
>+    data = NULL;
>+  }
>+  else {
>+    // need to allocate one extra guard byte for use in combine()
>+    data = (Guchar *)gmalloc(h * line + 1);
>+    data[h * line] = 0;
>+  }
> }
> 
> JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
>@@ -692,6 +699,12 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, 
>   w = bitmap->w;
>   h = bitmap->h;
>   line = bitmap->line;
>+
>+  if (h < 0 || line <= 0 || h >= INT_MAX / line) {
>+    data = NULL;
>+    return;
>+  }
>+ 
>   // need to allocate one extra guard byte for use in combine()
>   data = (Guchar *)gmalloc(h * line + 1);
>   memcpy(data, bitmap->data, h * line);
>@@ -720,7 +733,7 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint
> }
> 
> void JBIG2Bitmap::expand(int newH, Guint pixel) {
>-  if (newH <= h) {
>+  if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
>     return;
>   }
>   // need to allocate one extra guard byte for use in combine()
>@@ -2305,6 +2318,15 @@ void JBIG2Stream::readHalftoneRegionSeg(
>     error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
>     return;
>   }
>+  if (gridH == 0 || gridW >= INT_MAX / gridH) {
>+    error(getPos(), "Bad size in JBIG2 halftone segment");
>+    return;
>+  }
>+  if (w == 0 || h >= INT_MAX / w) {
>+     error(getPos(), "Bad size in JBIG2 bitmap segment");
>+    return;
>+  }
>+
>   patternDict = (JBIG2PatternDict *)seg;
>   bpp = 0;
>   i = 1;
>@@ -2936,6 +2958,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef
>   JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
>   int x, y, pix;
> 
>+  if (w < 0 || h <= 0 || w >= INT_MAX / h)
>+    return NULL;
>+
>   bitmap = new JBIG2Bitmap(0, w, h);
>   bitmap->clearToZero();
> 
>Index: Stream.cc
>===================================================================
>--- Stream.cc	(revision 488119)
>+++ Stream.cc	(working copy)
>@@ -1277,7 +1277,7 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
>   endOfLine = endOfLineA;
>   byteAlign = byteAlignA;
>   columns = columnsA;
>-  if (columns < 1) {
>+  if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) {
>     columns = 1;
>   }
>   rows = rowsA;
>@@ -3066,12 +3066,12 @@ GBool DCTStream::readHuffmanTables() {
>   while (length > 0) {
>     index = str->getChar();
>     --length;
>-    if ((index & 0x0f) >= 4) {
>+    if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
>       error(getPos(), "Bad DCT Huffman table");
>       return gFalse;
>     }
>     if (index & 0x10) {
>-      index &= 0x0f;
>+      index &= 0x03;
>       if (index >= numACHuffTables)
> 	numACHuffTables = index+1;
>       tbl = &acHuffTables[index];

Actions: View | Diff

Attachments on bug 137156: 59932 | 59935 | 60106 | 60190 | 60194 | 60264 | 60265 | 60405 | 60994 | 60995 | 60998 | 62964