Attachment #60998 for bug #137156

View | Details | Raw Unified | Return to bug 137156
Collapse All | Expand All

Lines 7-12 Link Here

(-)kpdf/xpdf/xpdf/JBIG2Stream.cc (-1 / +27 lines)
7	//========================================================================	7	//========================================================================
8		8
9	#include <aconf.h>	9	#include <aconf.h>
		10	#include <limits.h>
10		11
11	#ifdef USE_GCC_PRAGMAS	12	#ifdef USE_GCC_PRAGMAS
12	#pragma implementation	13	#pragma implementation
Lines 681-686 JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, Link Here
681	w = wA;	682	w = wA;
682	h = hA;	683	h = hA;
683	line = (wA + 7) >> 3;	684	line = (wA + 7) >> 3;
		685
		686	if (h < 0 \|\| line <= 0 \|\| h >= (INT_MAX - 1) / line ) {
		687	data = NULL;
		688	return;
		689	}
		690
684	// need to allocate one extra guard byte for use in combine()	691	// need to allocate one extra guard byte for use in combine()
685	data = (Guchar )gmalloc(h line + 1);	692	data = (Guchar )gmalloc(h line + 1);
686	data[h * line] = 0;	693	data[h * line] = 0;
Lines 692-697 JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, Link Here
692	w = bitmap->w;	699	w = bitmap->w;
693	h = bitmap->h;	700	h = bitmap->h;
694	line = bitmap->line;	701	line = bitmap->line;
		702
		703	if (h < 0 \|\| line <= 0 \|\| h >= (INT_MAX - 1) / line) {
		704	data = NULL;
		705	return;
		706	}
		707
695	// need to allocate one extra guard byte for use in combine()	708	// need to allocate one extra guard byte for use in combine()
696	data = (Guchar )gmalloc(h line + 1);	709	data = (Guchar )gmalloc(h line + 1);
697	memcpy(data, bitmap->data, h * line);	710	memcpy(data, bitmap->data, h * line);
Lines 720-726 JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint Link Here
720	}	733	}
721		734
722	void JBIG2Bitmap::expand(int newH, Guint pixel) {	735	void JBIG2Bitmap::expand(int newH, Guint pixel) {
723	if (newH <= h) {	736
		737	if (newH <= h \|\| line <= 0 \|\| newH >= (INT_MAX - 1) / line) {
724	return;	738	return;
725	}	739	}
726	// need to allocate one extra guard byte for use in combine()	740	// need to allocate one extra guard byte for use in combine()
Lines 2305-2310 void JBIG2Stream::readHalftoneRegionSeg( Link Here
2305	error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");	2319	error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
2306	return;	2320	return;
2307	}	2321	}
		2322	if (gridH == 0 \|\| gridW >= INT_MAX / gridH) {
		2323	error(getPos(), "Bad size in JBIG2 halftone segment");
		2324	return;
		2325	}
		2326	if (h < 0 \|\| w == 0 \|\| h >= INT_MAX / w) {
		2327	error(getPos(), "Bad size in JBIG2 bitmap segment");
		2328	return;
		2329	}
		2330
2308	patternDict = (JBIG2PatternDict *)seg;	2331	patternDict = (JBIG2PatternDict *)seg;
2309	bpp = 0;	2332	bpp = 0;
2310	i = 1;	2333	i = 1;
Lines 2936-2941 JBIG2Bitmap *JBIG2Stream::readGenericRef Link Here
2936	JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;	2959	JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
2937	int x, y, pix;	2960	int x, y, pix;
2938		2961
		2962	if (w < 0 \|\| h <= 0 \|\| w >= INT_MAX / h)
		2963	return NULL;
		2964
2939	bitmap = new JBIG2Bitmap(0, w, h);	2965	bitmap = new JBIG2Bitmap(0, w, h);
2940	bitmap->clearToZero();	2966	bitmap->clearToZero();
2941		2967

Lines 15-20 Link Here

(-)kpdf/xpdf/xpdf/Stream.cc (-5 / +44 lines)
15	#include <stdio.h>	15	#include <stdio.h>
16	#include <stdlib.h>	16	#include <stdlib.h>
17	#include <stddef.h>	17	#include <stddef.h>
		18	#include <limits.h>
18	#ifndef WIN32	19	#ifndef WIN32
19	#include <unistd.h>	20	#include <unistd.h>
20	#endif	21	#endif
Lines 408-420 StreamPredictor::StreamPredictor(Stream Link Here
408	width = widthA;	409	width = widthA;
409	nComps = nCompsA;	410	nComps = nCompsA;
410	nBits = nBitsA;	411	nBits = nBitsA;
		412	predLine = NULL;
		413	ok = gFalse;
		414
		415	if (width <= 0 \|\| nComps <= 0 \|\| nBits <= 0 \|\|
		416	nComps >= INT_MAX / nBits \|\|
		417	width >= INT_MAX / nComps / nBits)
		418	return;
411		419
412	nVals = width * nComps;	420	nVals = width * nComps;
		421	if (nVals * nBits + 7 <= 0)
		422	return;
413	pixBytes = (nComps * nBits + 7) >> 3;	423	pixBytes = (nComps * nBits + 7) >> 3;
414	rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;	424	rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
		425	if (rowBytes < 0)
		426	return;
		427
415	predLine = (Guchar *)gmalloc(rowBytes);	428	predLine = (Guchar *)gmalloc(rowBytes);
416	memset(predLine, 0, rowBytes);	429	memset(predLine, 0, rowBytes);
417	predIdx = rowBytes;	430	predIdx = rowBytes;
		431
		432	ok = gTrue;
418	}	433	}
419		434
420	StreamPredictor::~StreamPredictor() {	435	StreamPredictor::~StreamPredictor() {
Lines 1006-1011 LZWStream::LZWStream(Stream *strA, int p Link Here
1006	FilterStream(strA) {	1021	FilterStream(strA) {
1007	if (predictor != 1) {	1022	if (predictor != 1) {
1008	pred = new StreamPredictor(this, predictor, columns, colors, bits);	1023	pred = new StreamPredictor(this, predictor, columns, colors, bits);
		1024	if (!pred->isOk()) {
		1025	delete pred;
		1026	pred = NULL;
		1027	}
1009	} else {	1028	} else {
1010	pred = NULL;	1029	pred = NULL;
1011	}	1030	}
Lines 1258-1265 CCITTFaxStream::CCITTFaxStream(Stream *s Link Here
1258	endOfLine = endOfLineA;	1277	endOfLine = endOfLineA;
1259	byteAlign = byteAlignA;	1278	byteAlign = byteAlignA;
1260	columns = columnsA;	1279	columns = columnsA;
1261	if (columns < 1) {	1280	if (columns < 1 \|\| columns >= INT_MAX / sizeof(short)) {
1262	columns = 1;	1281	error(getPos(), "Bad number of columns in CCITTFaxStream");
		1282	exit(1);
1263	}	1283	}
1264	rows = rowsA;	1284	rows = rowsA;
1265	endOfBlock = endOfBlockA;	1285	endOfBlock = endOfBlockA;
Lines 2903-2909 GBool DCTStream::readBaselineSOF() { Link Here
2903	height = read16();	2923	height = read16();
2904	width = read16();	2924	width = read16();
2905	numComps = str->getChar();	2925	numComps = str->getChar();
2906	if (prec != 8) {	2926	if (numComps <= 0 \|\| numComps > 4) {
		2927	numComps = 0;
		2928	error(getPos(), "Bad number of components in DCT stream", prec);
		2929	return gFalse;
		2930	}
		2931	if (prec != 8) {
2907	error(getPos(), "Bad DCT precision %d", prec);	2932	error(getPos(), "Bad DCT precision %d", prec);
2908	return gFalse;	2933	return gFalse;
2909	}	2934	}
Lines 2929-2934 GBool DCTStream::readProgressiveSOF() { Link Here
2929	height = read16();	2954	height = read16();
2930	width = read16();	2955	width = read16();
2931	numComps = str->getChar();	2956	numComps = str->getChar();
		2957	if (numComps <= 0 \|\| numComps > 4) {
		2958	numComps = 0;
		2959	error(getPos(), "Bad number of components in DCT stream");
		2960	return gFalse;
		2961	}
2932	if (prec != 8) {	2962	if (prec != 8) {
2933	error(getPos(), "Bad DCT precision %d", prec);	2963	error(getPos(), "Bad DCT precision %d", prec);
2934	return gFalse;	2964	return gFalse;
Lines 2951-2956 GBool DCTStream::readScanInfo() { Link Here
2951		2981
2952	length = read16() - 2;	2982	length = read16() - 2;
2953	scanInfo.numComps = str->getChar();	2983	scanInfo.numComps = str->getChar();
		2984	if (scanInfo.numComps <= 0 \|\| scanInfo.numComps > 4) {
		2985	scanInfo.numComps = 0;
		2986	error(getPos(), "Bad number of components in DCT stream");
		2987	return gFalse;
		2988	}
2954	--length;	2989	--length;
2955	if (length != 2 * scanInfo.numComps + 3) {	2990	if (length != 2 * scanInfo.numComps + 3) {
2956	error(getPos(), "Bad DCT scan info block");	2991	error(getPos(), "Bad DCT scan info block");
Lines 3035-3046 GBool DCTStream::readHuffmanTables() { Link Here
3035	while (length > 0) {	3070	while (length > 0) {
3036	index = str->getChar();	3071	index = str->getChar();
3037	--length;	3072	--length;
3038	if ((index & 0x0f) >= 4) {	3073	if ((index & ~0x10) >= 4 \|\| (index & ~0x10) < 0) {
3039	error(getPos(), "Bad DCT Huffman table");	3074	error(getPos(), "Bad DCT Huffman table");
3040	return gFalse;	3075	return gFalse;
3041	}	3076	}
3042	if (index & 0x10) {	3077	if (index & 0x10) {
3043	index &= 0x0f;	3078	index &= 0x03;
3044	if (index >= numACHuffTables)	3079	if (index >= numACHuffTables)
3045	numACHuffTables = index+1;	3080	numACHuffTables = index+1;
3046	tbl = &acHuffTables[index];	3081	tbl = &acHuffTables[index];
Lines 3833-3838 FlateStream::FlateStream(Stream *strA, i Link Here
3833	FilterStream(strA) {	3868	FilterStream(strA) {
3834	if (predictor != 1) {	3869	if (predictor != 1) {
3835	pred = new StreamPredictor(this, predictor, columns, colors, bits);	3870	pred = new StreamPredictor(this, predictor, columns, colors, bits);
		3871	if (!pred->isOk()) {
		3872	delete pred;
		3873	pred = NULL;
		3874	}
3836	} else {	3875	} else {
3837	pred = NULL;	3876	pred = NULL;
3838	}	3877	}

Lines 232-237 public: Link Here

(-)kpdf/xpdf/xpdf/Stream.h (+3 lines)
232		232
233	~StreamPredictor();	233	~StreamPredictor();
234		234
		235	GBool isOk() { return ok; }
		236
235	int lookChar();	237	int lookChar();
236	int getChar();	238	int getChar();
237		239
Lines 249-254 private: Link Here
249	int rowBytes; // bytes per line	251	int rowBytes; // bytes per line
250	Guchar *predLine; // line buffer	252	Guchar *predLine; // line buffer
251	int predIdx; // current index in predLine	253	int predIdx; // current index in predLine
		254	GBool ok;
252	};	255	};
253		256
254	//------------------------------------------------------------------------	257	//------------------------------------------------------------------------

Lines 7-12 Link Here

(-)kpdf/xpdf/xpdf/JPXStream.cc (-3 / +9 lines)
7	//========================================================================	7	//========================================================================
8		8
9	#include <aconf.h>	9	#include <aconf.h>
		10	#include <limits.h>
10		11
11	#ifdef USE_GCC_PRAGMAS	12	#ifdef USE_GCC_PRAGMAS
12	#pragma implementation	13	#pragma implementation
Lines 783-789 GBool JPXStream::readCodestream(Guint /* Link Here
783	int segType;	784	int segType;
784	GBool haveSIZ, haveCOD, haveQCD, haveSOT;	785	GBool haveSIZ, haveCOD, haveQCD, haveSOT;
785	Guint precinctSize, style;	786	Guint precinctSize, style;
786	Guint segLen, capabilities, comp, i, j, r;	787	Guint segLen, capabilities, nTiles, comp, i, j, r;
787		788
788	//----- main header	789	//----- main header
789	haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;	790	haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
Lines 818-825 GBool JPXStream::readCodestream(Guint /* Link Here
818	/ img.xTileSize;	819	/ img.xTileSize;
819	img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)	820	img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
820	/ img.yTileSize;	821	/ img.yTileSize;
821	img.tiles = (JPXTile )gmallocn(img.nXTiles img.nYTiles,	822	nTiles = img.nXTiles * img.nYTiles;
822	sizeof(JPXTile));	823	// check for overflow before allocating memory
		824	if (img.nXTiles <= 0 \|\| img.nYTiles <= 0 \|\| img.nXTiles >= INT_MAX / img.nYTiles) {
		825	error(getPos(), "Bad tile count in JPX SIZ marker segment");
		826	return gFalse;
		827	}
		828	img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
823	for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {	829	for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
824	img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps,	830	img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps,
825	sizeof(JPXTileComp));	831	sizeof(JPXTileComp));




#include <stdlib.h>
#include <stddef.h>
#include <string.h>
#include <limits.h>
#include "gmem.h"

#ifdef DEBUG_MEM

  int n;

  n = nObjs * objSize;
  if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
    fprintf(stderr, "Bogus memory allocation size\n");
    exit(1);
  }

  int n;

  n = nObjs * objSize;
  if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
    fprintf(stderr, "Bogus memory allocation size\n");
    exit(1);
  }

Return to bug 137156

Lines 11-16 Link Here

(-)kpdf/xpdf/goo/gmem.c (-2 / +3 lines)
11	#include <stdlib.h>	11	#include <stdlib.h>
12	#include <stddef.h>	12	#include <stddef.h>
13	#include <string.h>	13	#include <string.h>
		14	#include <limits.h>
14	#include "gmem.h"	15	#include "gmem.h"
15		16
16	#ifdef DEBUG_MEM	17	#ifdef DEBUG_MEM
Lines 141-147 void *gmallocn(int nObjs, int objSize) { Link Here
141	int n;	142	int n;
142		143
143	n = nObjs * objSize;	144	n = nObjs * objSize;
144	if (objSize == 0 \|\| n / objSize != nObjs) {	145	if (objSize <= 0 \|\| nObjs < 0 \|\| nObjs >= INT_MAX / objSize) {
145	fprintf(stderr, "Bogus memory allocation size\n");	146	fprintf(stderr, "Bogus memory allocation size\n");
146	exit(1);	147	exit(1);
147	}	148	}
Lines 152-158 void greallocn(void p, int nObjs, int Link Here
152	int n;	153	int n;
153		154
154	n = nObjs * objSize;	155	n = nObjs * objSize;
155	if (objSize == 0 \|\| n / objSize != nObjs) {	156	if (objSize <= 0 \|\| nObjs < 0 \|\| nObjs >= INT_MAX / objSize) {
156	fprintf(stderr, "Bogus memory allocation size\n");	157	fprintf(stderr, "Bogus memory allocation size\n");
157	exit(1);	158	exit(1);
158	}	159	}