Attachment #60994 for bug #137156

View | Details | Raw Unified | Return to bug 137156
Collapse All | Expand All

Lines 225-230 public: Link Here

(-)xpdf-2.02pl1/xpdf/Stream.h (+3 lines)
225		225
226	~StreamPredictor();	226	~StreamPredictor();
227		227
		228	GBool isOk() { return ok; }
		229
228	int lookChar();	230	int lookChar();
229	int getChar();	231	int getChar();
230		232
Lines 242-247 private: Link Here
242	int rowBytes; // bytes per line	244	int rowBytes; // bytes per line
243	Guchar *predLine; // line buffer	245	Guchar *predLine; // line buffer
244	int predIdx; // current index in predLine	246	int predIdx; // current index in predLine
		247	GBool ok;
245	};	248	};
246		249
247	//------------------------------------------------------------------------	250	//------------------------------------------------------------------------

Lines 15-20 Link Here

(-)xpdf-2.02pl1/xpdf/Stream.cc (-2 / +46 lines)
15	#include <stdio.h>	15	#include <stdio.h>
16	#include <stdlib.h>	16	#include <stdlib.h>
17	#include <stddef.h>	17	#include <stddef.h>
		18	#include <limits.h>
18	#ifndef WIN32	19	#ifndef WIN32
19	#include <unistd.h>	20	#include <unistd.h>
20	#endif	21	#endif
Lines 409-421 StreamPredictor::StreamPredictor(Stream Link Here
409	width = widthA;	410	width = widthA;
410	nComps = nCompsA;	411	nComps = nCompsA;
411	nBits = nBitsA;	412	nBits = nBitsA;
		413	predLine = NULL;
		414	ok = gFalse;
412		415
		416	if (width <= 0 \|\| nComps <= 0 \|\| nBits <= 0 \|\|
		417	nComps >= INT_MAX/nBits \|\|
		418	width >= INT_MAX/nComps/nBits) {
		419	return;
		420	}
413	nVals = width * nComps;	421	nVals = width * nComps;
		422	if (nVals * nBits + 7 <= 0) {
		423	return;
		424	}
414	pixBytes = (nComps * nBits + 7) >> 3;	425	pixBytes = (nComps * nBits + 7) >> 3;
415	rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;	426	rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
		427	if (rowBytes < 0) {
		428	return;
		429	}
416	predLine = (Guchar *)gmalloc(rowBytes);	430	predLine = (Guchar *)gmalloc(rowBytes);
417	memset(predLine, 0, rowBytes);	431	memset(predLine, 0, rowBytes);
418	predIdx = rowBytes;	432	predIdx = rowBytes;
		433
		434	ok = gTrue;
419	}	435	}
420		436
421	StreamPredictor::~StreamPredictor() {	437	StreamPredictor::~StreamPredictor() {
Lines 981-986 LZWStream::LZWStream(Stream *strA, int p Link Here
981	FilterStream(strA) {	997	FilterStream(strA) {
982	if (predictor != 1) {	998	if (predictor != 1) {
983	pred = new StreamPredictor(this, predictor, columns, colors, bits);	999	pred = new StreamPredictor(this, predictor, columns, colors, bits);
		1000	if (!pred->isOk()) {
		1001	delete pred;
		1002	pred = NULL;
		1003	}
984	} else {	1004	} else {
985	pred = NULL;	1005	pred = NULL;
986	}	1006	}
Lines 1226-1231 CCITTFaxStream::CCITTFaxStream(Stream *s Link Here
1226	endOfLine = endOfLineA;	1246	endOfLine = endOfLineA;
1227	byteAlign = byteAlignA;	1247	byteAlign = byteAlignA;
1228	columns = columnsA;	1248	columns = columnsA;
		1249	if (columns < 1 \|\| columns >= INT_MAX / sizeof(short)) {
		1250	error(-1, "invalid number of columns");
		1251	exit(1);
		1252	}
1229	rows = rowsA;	1253	rows = rowsA;
1230	endOfBlock = endOfBlockA;	1254	endOfBlock = endOfBlockA;
1231	black = blackA;	1255	black = blackA;
Lines 2864-2869 GBool DCTStream::readBaselineSOF() { Link Here
2864	height = read16();	2888	height = read16();
2865	width = read16();	2889	width = read16();
2866	numComps = str->getChar();	2890	numComps = str->getChar();
		2891	if (numComps <= 0 \|\| numComps > 4) {
		2892	numComps = 0;
		2893	error(getPos(), "Bad number of components in DCT stream");
		2894	return gFalse;
		2895	}
2867	if (prec != 8) {	2896	if (prec != 8) {
2868	error(getPos(), "Bad DCT precision %d", prec);	2897	error(getPos(), "Bad DCT precision %d", prec);
2869	return gFalse;	2898	return gFalse;
Lines 2890-2895 GBool DCTStream::readProgressiveSOF() { Link Here
2890	height = read16();	2919	height = read16();
2891	width = read16();	2920	width = read16();
2892	numComps = str->getChar();	2921	numComps = str->getChar();
		2922	if (numComps <= 0 \|\| numComps > 4) {
		2923	numComps = 0;
		2924	error(getPos(), "Bad number of components in DCT stream");
		2925	return gFalse;
		2926	}
2893	if (prec != 8) {	2927	if (prec != 8) {
2894	error(getPos(), "Bad DCT precision %d", prec);	2928	error(getPos(), "Bad DCT precision %d", prec);
2895	return gFalse;	2929	return gFalse;
Lines 2912-2917 GBool DCTStream::readScanInfo() { Link Here
2912		2946
2913	length = read16() - 2;	2947	length = read16() - 2;
2914	scanInfo.numComps = str->getChar();	2948	scanInfo.numComps = str->getChar();
		2949	if (scanInfo.numComps <= 0 \|\| scanInfo.numComps > 4) {
		2950	error(getPos(), "Bad number of components in DCT stream");
		2951	return gFalse;
		2952	}
2915	--length;	2953	--length;
2916	if (length != 2 * scanInfo.numComps + 3) {	2954	if (length != 2 * scanInfo.numComps + 3) {
2917	error(getPos(), "Bad DCT scan info block");	2955	error(getPos(), "Bad DCT scan info block");
Lines 2979-2990 GBool DCTStream::readHuffmanTables() { Link Here
2979	while (length > 0) {	3017	while (length > 0) {
2980	index = str->getChar();	3018	index = str->getChar();
2981	--length;	3019	--length;
2982	if ((index & 0x0f) >= 4) {	3020	if ((index & ~0x10) >= 4 \|\| (index & ~0x10) < 0) {
2983	error(getPos(), "Bad DCT Huffman table");	3021	error(getPos(), "Bad DCT Huffman table");
2984	return gFalse;	3022	return gFalse;
2985	}	3023	}
2986	if (index & 0x10) {	3024	if (index & 0x10) {
2987	index &= 0x0f;	3025	index &= 0x03;
2988	if (index >= numACHuffTables)	3026	if (index >= numACHuffTables)
2989	numACHuffTables = index+1;	3027	numACHuffTables = index+1;
2990	tbl = &acHuffTables[index];	3028	tbl = &acHuffTables[index];
Lines 3072-3080 int DCTStream::readMarker() { Link Here
3072	do {	3110	do {
3073	do {	3111	do {
3074	c = str->getChar();	3112	c = str->getChar();
		3113	if(c == EOF) return EOF;
3075	} while (c != 0xff);	3114	} while (c != 0xff);
3076	do {	3115	do {
3077	c = str->getChar();	3116	c = str->getChar();
		3117	if(c == EOF) return EOF;
3078	} while (c == 0xff);	3118	} while (c == 0xff);
3079	} while (c == 0x00);	3119	} while (c == 0x00);
3080	return c;	3120	return c;
Lines 3182-3187 FlateStream::FlateStream(Stream *strA, i Link Here
3182	FilterStream(strA) {	3222	FilterStream(strA) {
3183	if (predictor != 1) {	3223	if (predictor != 1) {
3184	pred = new StreamPredictor(this, predictor, columns, colors, bits);	3224	pred = new StreamPredictor(this, predictor, columns, colors, bits);
		3225	if (!pred->isOk()) {
		3226	delete pred;
		3227	pred = NULL;
		3228	}
3185	} else {	3229	} else {
3186	pred = NULL;	3230	pred = NULL;
3187	}	3231	}

Lines 7-12 Link Here

(-)xpdf-2.02pl1/xpdf/JBIG2Stream.cc (-4 / +41 lines)
7	//========================================================================	7	//========================================================================
8		8
9	#include <aconf.h>	9	#include <aconf.h>
		10	#include <limits.h>
10		11
11	#ifdef USE_GCC_PRAGMAS	12	#ifdef USE_GCC_PRAGMAS
12	#pragma implementation	13	#pragma implementation
Lines 1001-1007 JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, Link Here
1001	w = wA;	1002	w = wA;
1002	h = hA;	1003	h = hA;
1003	line = (wA + 7) >> 3;	1004	line = (wA + 7) >> 3;
1004	data = (Guchar )gmalloc(h line);	1005
		1006	if (h < 0 \|\| line <= 0 \|\| h >= (INT_MAX - 1) / line) {
		1007	error(-1, "invalid width/height");
		1008	data = NULL;
		1009	return;
		1010	}
		1011
		1012	// need to allocate one extra guard byte for use in combine()
		1013	data = (Guchar )gmalloc(h line + 1);
		1014	data[h * line] = 0;
1005	}	1015	}
1006		1016
1007	JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):	1017	JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
Lines 1010-1017 JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, Link Here
1010	w = bitmap->w;	1020	w = bitmap->w;
1011	h = bitmap->h;	1021	h = bitmap->h;
1012	line = bitmap->line;	1022	line = bitmap->line;
1013	data = (Guchar )gmalloc(h line);	1023
		1024	if (h < 0 \|\| line <= 0 \|\| h >= (INT_MAX - 1) / line) {
		1025	error(-1, "invalid width/height");
		1026	data = NULL;
		1027	return;
		1028	}
		1029
		1030	// need to allocate one extra guard byte for use in combine()
		1031	data = (Guchar )gmalloc(h line + 1);
1014	memcpy(data, bitmap->data, h * line);	1032	memcpy(data, bitmap->data, h * line);
		1033	data[h * line] = 0;
1015	}	1034	}
1016		1035
1017	JBIG2Bitmap::~JBIG2Bitmap() {	1036	JBIG2Bitmap::~JBIG2Bitmap() {
Lines 1036-1045 JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint Link Here
1036	}	1055	}
1037		1056
1038	void JBIG2Bitmap::expand(int newH, Guint pixel) {	1057	void JBIG2Bitmap::expand(int newH, Guint pixel) {
1039	if (newH <= h) {	1058	if (newH <= h \|\| line <= 0 \|\| newH >= (INT_MAX - 1)/ line) {
		1059	error(-1, "invalid width/height");
		1060	gfree(data);
		1061	data = NULL;
1040	return;	1062	return;
1041	}	1063	}
1042	data = (Guchar )grealloc(data, newH line);	1064	// need to allocate one extra guard byte for use in combine()
		1065	data = (Guchar )grealloc(data, newH line + 1);
1043	if (pixel) {	1066	if (pixel) {
1044	memset(data + h * line, 0xff, (newH - h) * line);	1067	memset(data + h * line, 0xff, (newH - h) * line);
1045	} else {	1068	} else {
Lines 2576-2581 void JBIG2Stream::readHalftoneRegionSeg( Link Here
2576	error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");	2599	error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
2577	return;	2600	return;
2578	}	2601	}
		2602	if (gridH == 0 \|\| gridW >= INT_MAX / gridH) {
		2603	error(getPos(), "Bad size in JBIG2 halftone segment");
		2604	return;
		2605	}
		2606	if (w == 0 \|\| h >= INT_MAX / w) {
		2607	error(getPos(), "Bad size in JBIG2 bitmap segment");
		2608	return;
		2609	}
		2610
2579	patternDict = (JBIG2PatternDict *)seg;	2611	patternDict = (JBIG2PatternDict *)seg;
2580	bpp = 0;	2612	bpp = 0;
2581	i = 1;	2613	i = 1;
Lines 3205-3210 JBIG2Bitmap *JBIG2Stream::readGenericRef Link Here
3205	JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;	3237	JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
3206	int x, y, pix;	3238	int x, y, pix;
3207		3239
		3240	if (w < 0 \|\| h <= 0 \|\| w >= INT_MAX / h) {
		3241	error(-1, "invalid width/height");
		3242	return NULL;
		3243	}
		3244
3208	bitmap = new JBIG2Bitmap(0, w, h);	3245	bitmap = new JBIG2Bitmap(0, w, h);
3209	bitmap->clearToZero();	3246	bitmap->clearToZero();
3210		3247

Return to bug 137156