diff -cr xpdf-3.01.orig/goo/gmem.c xpdf-3.01/goo/gmem.c *** xpdf-3.01.orig/goo/gmem.c Tue Aug 16 22:34:30 2005 --- xpdf-3.01/goo/gmem.c Tue Jan 17 17:03:57 2006 *************** *** 11,16 **** --- 11,17 ---- #include #include #include + #include #include "gmem.h" #ifdef DEBUG_MEM *************** *** 63,69 **** int lst; unsigned long *trl, *p; ! if (size == 0) return NULL; size1 = gMemDataSize(size); if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) { --- 64,70 ---- int lst; unsigned long *trl, *p; ! if (size <= 0) return NULL; size1 = gMemDataSize(size); if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) { *************** *** 86,92 **** #else void *p; ! if (size == 0) return NULL; if (!(p = malloc(size))) { fprintf(stderr, "Out of memory\n"); --- 87,93 ---- #else void *p; ! if (size <= 0) return NULL; if (!(p = malloc(size))) { fprintf(stderr, "Out of memory\n"); *************** *** 102,108 **** void *q; int oldSize; ! if (size == 0) { if (p) gfree(p); return NULL; --- 103,109 ---- void *q; int oldSize; ! if (size <= 0) { if (p) gfree(p); return NULL; *************** *** 120,126 **** #else void *q; ! if (size == 0) { if (p) free(p); return NULL; --- 121,127 ---- #else void *q; ! if (size <= 0) { if (p) free(p); return NULL; *************** *** 140,147 **** void *gmallocn(int nObjs, int objSize) { int n; n = nObjs * objSize; ! if (objSize == 0 || n / objSize != nObjs) { fprintf(stderr, "Bogus memory allocation size\n"); exit(1); } --- 141,151 ---- void *gmallocn(int nObjs, int objSize) { int n; + if (nObjs == 0) { + return NULL; + } n = nObjs * objSize; ! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { fprintf(stderr, "Bogus memory allocation size\n"); exit(1); } *************** *** 151,158 **** void *greallocn(void *p, int nObjs, int objSize) { int n; n = nObjs * objSize; ! if (objSize == 0 || n / objSize != nObjs) { fprintf(stderr, "Bogus memory allocation size\n"); exit(1); } --- 155,168 ---- void *greallocn(void *p, int nObjs, int objSize) { int n; + if (nObjs == 0) { + if (p) { + gfree(p); + } + return NULL; + } n = nObjs * objSize; ! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { fprintf(stderr, "Bogus memory allocation size\n"); exit(1); } diff -cr xpdf-3.01.orig/xpdf/JBIG2Stream.cc xpdf-3.01/xpdf/JBIG2Stream.cc *** xpdf-3.01.orig/xpdf/JBIG2Stream.cc Tue Aug 16 22:34:31 2005 --- xpdf-3.01/xpdf/JBIG2Stream.cc Tue Jan 17 17:29:46 2006 *************** *** 13,18 **** --- 13,19 ---- #endif #include + #include #include "GList.h" #include "Error.h" #include "JArithmeticDecoder.h" *************** *** 681,686 **** --- 682,691 ---- w = wA; h = hA; line = (wA + 7) >> 3; + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { + data = NULL; + return; + } // need to allocate one extra guard byte for use in combine() data = (Guchar *)gmalloc(h * line + 1); data[h * line] = 0; *************** *** 692,697 **** --- 697,706 ---- w = bitmap->w; h = bitmap->h; line = bitmap->line; + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { + data = NULL; + return; + } // need to allocate one extra guard byte for use in combine() data = (Guchar *)gmalloc(h * line + 1); memcpy(data, bitmap->data, h * line); *************** *** 720,726 **** } void JBIG2Bitmap::expand(int newH, Guint pixel) { ! if (newH <= h) { return; } // need to allocate one extra guard byte for use in combine() --- 729,735 ---- } void JBIG2Bitmap::expand(int newH, Guint pixel) { ! if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) { return; } // need to allocate one extra guard byte for use in combine() *************** *** 2294,2299 **** --- 2303,2316 ---- !readUWord(&stepX) || !readUWord(&stepY)) { goto eofError; } + if (w == 0 || h == 0 || w >= INT_MAX / h) { + error(getPos(), "Bad bitmap size in JBIG2 halftone segment"); + return; + } + if (gridH == 0 || gridW >= INT_MAX / gridH) { + error(getPos(), "Bad grid size in JBIG2 halftone segment"); + return; + } // get pattern dictionary if (nRefSegs != 1) { diff -cr xpdf-3.01.orig/xpdf/JPXStream.cc xpdf-3.01/xpdf/JPXStream.cc *** xpdf-3.01.orig/xpdf/JPXStream.cc Tue Aug 16 22:34:31 2005 --- xpdf-3.01/xpdf/JPXStream.cc Tue Jan 17 17:14:06 2006 *************** *** 12,17 **** --- 12,18 ---- #pragma implementation #endif + #include #include "gmem.h" #include "Error.h" #include "JArithmeticDecoder.h" *************** *** 818,823 **** --- 819,830 ---- / img.xTileSize; img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) / img.yTileSize; + // check for overflow before allocating memory + if (img.nXTiles <= 0 || img.nYTiles <= 0 || + img.nXTiles >= INT_MAX / img.nYTiles) { + error(getPos(), "Bad tile count in JPX SIZ marker segment"); + return gFalse; + } img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles, sizeof(JPXTile)); for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { diff -cr xpdf-3.01.orig/xpdf/Stream.cc xpdf-3.01/xpdf/Stream.cc *** xpdf-3.01.orig/xpdf/Stream.cc Tue Aug 16 22:34:31 2005 --- xpdf-3.01/xpdf/Stream.cc Tue Jan 17 17:31:52 2006 *************** *** 15,20 **** --- 15,21 ---- #include #include #include + #include #ifndef WIN32 #include #endif *************** *** 406,418 **** --- 407,432 ---- width = widthA; nComps = nCompsA; nBits = nBitsA; + predLine = NULL; + ok = gFalse; nVals = width * nComps; + if (width <= 0 || nComps <= 0 || nBits <= 0 || + nComps >= INT_MAX / nBits || + width >= INT_MAX / nComps / nBits || + nVals * nBits + 7 < 0) { + return; + } pixBytes = (nComps * nBits + 7) >> 3; rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; + if (rowBytes <= 0) { + return; + } predLine = (Guchar *)gmalloc(rowBytes); memset(predLine, 0, rowBytes); predIdx = rowBytes; + + ok = gTrue; } StreamPredictor::~StreamPredictor() { *************** *** 1004,1009 **** --- 1018,1027 ---- FilterStream(strA) { if (predictor != 1) { pred = new StreamPredictor(this, predictor, columns, colors, bits); + if (!pred->isOk()) { + delete pred; + pred = NULL; + } } else { pred = NULL; } *************** *** 1259,1264 **** --- 1277,1285 ---- if (columns < 1) { columns = 1; } + if (columns + 4 <= 0) { + columns = INT_MAX - 4; + } rows = rowsA; endOfBlock = endOfBlockA; black = blackA; *************** *** 2899,2904 **** --- 2920,2930 ---- height = read16(); width = read16(); numComps = str->getChar(); + if (numComps <= 0 || numComps > 4) { + error(getPos(), "Bad number of components in DCT stream"); + numComps = 0; + return gFalse; + } if (prec != 8) { error(getPos(), "Bad DCT precision %d", prec); return gFalse; *************** *** 2925,2930 **** --- 2951,2961 ---- height = read16(); width = read16(); numComps = str->getChar(); + if (numComps <= 0 || numComps > 4) { + error(getPos(), "Bad number of components in DCT stream"); + numComps = 0; + return gFalse; + } if (prec != 8) { error(getPos(), "Bad DCT precision %d", prec); return gFalse; *************** *** 2947,2952 **** --- 2978,2988 ---- length = read16() - 2; scanInfo.numComps = str->getChar(); + if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { + error(getPos(), "Bad number of components in DCT stream"); + scanInfo.numComps = 0; + return gFalse; + } --length; if (length != 2 * scanInfo.numComps + 3) { error(getPos(), "Bad DCT scan info block"); *************** *** 3041,3046 **** --- 3077,3083 ---- numACHuffTables = index+1; tbl = &acHuffTables[index]; } else { + index &= 0x0f; if (index >= numDCHuffTables) numDCHuffTables = index+1; tbl = &dcHuffTables[index]; *************** *** 3827,3832 **** --- 3864,3873 ---- FilterStream(strA) { if (predictor != 1) { pred = new StreamPredictor(this, predictor, columns, colors, bits); + if (!pred->isOk()) { + delete pred; + pred = NULL; + } } else { pred = NULL; } diff -cr xpdf-3.01.orig/xpdf/Stream.h xpdf-3.01/xpdf/Stream.h *** xpdf-3.01.orig/xpdf/Stream.h Tue Aug 16 22:34:31 2005 --- xpdf-3.01/xpdf/Stream.h Tue Jan 17 17:19:54 2006 *************** *** 232,237 **** --- 232,239 ---- ~StreamPredictor(); + GBool isOk() { return ok; } + int lookChar(); int getChar(); *************** *** 249,254 **** --- 251,257 ---- int rowBytes; // bytes per line Guchar *predLine; // line buffer int predIdx; // current index in predLine + GBool ok; }; //------------------------------------------------------------------------ *************** *** 527,533 **** short getWhiteCode(); short getBlackCode(); short lookBits(int n); ! void eatBits(int n) { inputBits -= n; } }; //------------------------------------------------------------------------ --- 530,536 ---- short getWhiteCode(); short getBlackCode(); short lookBits(int n); ! void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; } }; //------------------------------------------------------------------------ diff -cr xpdf-3.01.orig/splash/SplashXPathScanner.cc xpdf-3.01/splash/SplashXPathScanner.cc *** xpdf-3.01.orig/splash/SplashXPathScanner.cc Tue Aug 16 22:34:31 2005 --- xpdf-3.01/splash/SplashXPathScanner.cc Wed Feb 1 17:01:14 2006 *************** *** 186,192 **** } void SplashXPathScanner::computeIntersections(int y) { ! SplashCoord ySegMin, ySegMax, xx0, xx1; SplashXPathSeg *seg; int i, j; --- 186,192 ---- } void SplashXPathScanner::computeIntersections(int y) { ! SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1; SplashXPathSeg *seg; int i, j; *************** *** 236,254 **** } else if (seg->flags & splashXPathVert) { xx0 = xx1 = seg->x0; } else { ! if (ySegMin <= y) { ! // intersection with top edge ! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; } else { ! // x coord of segment endpoint with min y coord ! xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0; } ! if (ySegMax >= y + 1) { ! // intersection with bottom edge ! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; ! } else { ! // x coord of segment endpoint with max y coord ! xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1; } } if (xx0 < xx1) { --- 236,262 ---- } else if (seg->flags & splashXPathVert) { xx0 = xx1 = seg->x0; } else { ! if (seg->x0 < seg->x1) { ! xSegMin = seg->x0; ! xSegMax = seg->x1; } else { ! xSegMin = seg->x1; ! xSegMax = seg->x0; } ! // intersection with top edge ! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; ! // intersection with bottom edge ! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; ! // the segment may not actually extend to the top and/or bottom edges ! if (xx0 < xSegMin) { ! xx0 = xSegMin; ! } else if (xx0 > xSegMax) { ! xx0 = xSegMax; ! } ! if (xx1 < xSegMin) { ! xx1 = xSegMin; ! } else if (xx1 > xSegMax) { ! xx1 = xSegMax; } } if (xx0 < xx1) {