Fix for a number of integer overflow bugs discovered by Chris Evans.

2004-11-05  Dan Williams  <dcbw@redhat.com>

* xpdf/Catalog.cc, xpdf/XRef.cc: Fix for a number of integer
overflow bugs discovered by Chris Evans. CAN-2004-0888,
Bug #156729, Red Hat Bug #137420.

1 files changed, 14 insertions, 0 deletions

diff --git a/pdf/xpdf/Catalog.cc b/pdf/xpdf/Catalog.cc
index c645fd0..8762cd4 100644
--- a/pdf/xpdf/Catalog.cc
+++ b/pdf/xpdf/Catalog.cc
@@ -64,6 +64,15 @@ Catalog::Catalog(XRef *xrefA) {
   }
   pagesSize = numPages0 = (int)obj.getNum();
   obj.free();
+  // The gcc doesnt optimize this away, so this check is ok,
+  // even if it looks like a pagesSize != pagesSize check
+  if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
+      pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+    error(-1, "Invalid 'pagesSize'");
+    ok = gFalse;
+    return;
+  }
+
   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
   for (i = 0; i < pagesSize; ++i) {
@@ -191,6 +200,11 @@ int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) {
       }
       if (start >= pagesSize) {
 	pagesSize += 32;
+        if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
+            pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+          error(-1, "Invalid 'pagesSize' parameter.");
+          goto err3;
+        }
 	pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
 	pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
 	for (j = pagesSize - 32; j < pagesSize; ++j) {