diff options
author | Dan Williams <dcbw@redhat.com> | 2004-11-05 18:43:19 (GMT) |
---|---|---|
committer | Martin Kretzschmar <martink@src.gnome.org> | 2004-11-05 18:43:19 (GMT) |
commit | 25a9ea784b39a717a6b0f27ab4a8c21d9b3afc82 (patch) | |
tree | 05d0e582eafc1cf193bb0ee8c14e061a5d6c2360 /pdf/xpdf/Catalog.cc | |
parent | 01ea7350f8728781e60850fad9c87e04bf219bf0 (diff) |
Fix for a number of integer overflow bugs discovered by Chris Evans.
2004-11-05 Dan Williams <dcbw@redhat.com>
* xpdf/Catalog.cc, xpdf/XRef.cc: Fix for a number of integer
overflow bugs discovered by Chris Evans. CAN-2004-0888,
Bug #156729, Red Hat Bug #137420.
Diffstat (limited to 'pdf/xpdf/Catalog.cc')
-rw-r--r-- | pdf/xpdf/Catalog.cc | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/pdf/xpdf/Catalog.cc b/pdf/xpdf/Catalog.cc index c645fd0..8762cd4 100644 --- a/pdf/xpdf/Catalog.cc +++ b/pdf/xpdf/Catalog.cc @@ -64,6 +64,15 @@ Catalog::Catalog(XRef *xrefA) { } pagesSize = numPages0 = (int)obj.getNum(); obj.free(); + // The gcc doesnt optimize this away, so this check is ok, + // even if it looks like a pagesSize != pagesSize check + if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { + error(-1, "Invalid 'pagesSize'"); + ok = gFalse; + return; + } + pages = (Page **)gmalloc(pagesSize * sizeof(Page *)); pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref)); for (i = 0; i < pagesSize; ++i) { @@ -191,6 +200,11 @@ int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) { } if (start >= pagesSize) { pagesSize += 32; + if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { + error(-1, "Invalid 'pagesSize' parameter."); + goto err3; + } pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *)); pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref)); for (j = pagesSize - 32; j < pagesSize; ++j) { |