ALT Linux repositórios
| S: | 4.04-alt1 |
| 5.0: | 3.02-alt4 |
| 4.1: | 3.02-alt4.M41.1 |
| 4.0: | 3.02-alt3 |
| 3.0: | 3.00-alt5pl3 |
| +backports: | 3.01-alt0.M30.2 |
Group :: Escritórios
RPM: xpdf
Navegação
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
Patch: xpdf-3.01pl2.patch
Download
Download
diff -cr xpdf-3.01.orig/goo/gmem.c xpdf-3.01/goo/gmem.c
*** xpdf-3.01.orig/goo/gmem.c Tue Aug 16 22:34:30 2005
--- xpdf-3.01/goo/gmem.c Tue Jan 17 17:03:57 2006
***************
*** 11,16 ****
--- 11,17 ----
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
+ #include <limits.h>
#include "gmem.h"
#ifdef DEBUG_MEM
***************
*** 63,69 ****
int lst;
unsigned long *trl, *p;
! if (size == 0)
return NULL;
size1 = gMemDataSize(size);
if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) {--- 64,70 ----
int lst;
unsigned long *trl, *p;
! if (size <= 0)
return NULL;
size1 = gMemDataSize(size);
if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) {***************
*** 86,92 ****
#else
void *p;
! if (size == 0)
return NULL;
if (!(p = malloc(size))) {fprintf(stderr, "Out of memory\n");
--- 87,93 ----
#else
void *p;
! if (size <= 0)
return NULL;
if (!(p = malloc(size))) {fprintf(stderr, "Out of memory\n");
***************
*** 102,108 ****
void *q;
int oldSize;
! if (size == 0) {if (p)
gfree(p);
return NULL;
--- 103,109 ----
void *q;
int oldSize;
! if (size <= 0) {if (p)
gfree(p);
return NULL;
***************
*** 120,126 ****
#else
void *q;
! if (size == 0) {if (p)
free(p);
return NULL;
--- 121,127 ----
#else
void *q;
! if (size <= 0) {if (p)
free(p);
return NULL;
***************
*** 140,147 ****
void *gmallocn(int nObjs, int objSize) {int n;
n = nObjs * objSize;
! if (objSize == 0 || n / objSize != nObjs) {fprintf(stderr, "Bogus memory allocation size\n");
exit(1);
}
--- 141,151 ----
void *gmallocn(int nObjs, int objSize) {int n;
+ if (nObjs == 0) {+ return NULL;
+ }
n = nObjs * objSize;
! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {fprintf(stderr, "Bogus memory allocation size\n");
exit(1);
}
***************
*** 151,158 ****
void *greallocn(void *p, int nObjs, int objSize) {int n;
n = nObjs * objSize;
! if (objSize == 0 || n / objSize != nObjs) {fprintf(stderr, "Bogus memory allocation size\n");
exit(1);
}
--- 155,168 ----
void *greallocn(void *p, int nObjs, int objSize) {int n;
+ if (nObjs == 0) {+ if (p) {+ gfree(p);
+ }
+ return NULL;
+ }
n = nObjs * objSize;
! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {fprintf(stderr, "Bogus memory allocation size\n");
exit(1);
}
diff -cr xpdf-3.01.orig/xpdf/JBIG2Stream.cc xpdf-3.01/xpdf/JBIG2Stream.cc
*** xpdf-3.01.orig/xpdf/JBIG2Stream.cc Tue Aug 16 22:34:31 2005
--- xpdf-3.01/xpdf/JBIG2Stream.cc Tue Jan 17 17:29:46 2006
***************
*** 13,18 ****
--- 13,19 ----
#endif
#include <stdlib.h>
+ #include <limits.h>
#include "GList.h"
#include "Error.h"
#include "JArithmeticDecoder.h"
***************
*** 681,686 ****
--- 682,691 ----
w = wA;
h = hA;
line = (wA + 7) >> 3;
+ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {+ data = NULL;
+ return;
+ }
// need to allocate one extra guard byte for use in combine()
data = (Guchar *)gmalloc(h * line + 1);
data[h * line] = 0;
***************
*** 692,697 ****
--- 697,706 ----
w = bitmap->w;
h = bitmap->h;
line = bitmap->line;
+ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {+ data = NULL;
+ return;
+ }
// need to allocate one extra guard byte for use in combine()
data = (Guchar *)gmalloc(h * line + 1);
memcpy(data, bitmap->data, h * line);
***************
*** 720,726 ****
}
void JBIG2Bitmap::expand(int newH, Guint pixel) {! if (newH <= h) {return;
}
// need to allocate one extra guard byte for use in combine()
--- 729,735 ----
}
void JBIG2Bitmap::expand(int newH, Guint pixel) {! if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) {return;
}
// need to allocate one extra guard byte for use in combine()
***************
*** 2294,2299 ****
--- 2303,2316 ----
!readUWord(&stepX) || !readUWord(&stepY)) {goto eofError;
}
+ if (w == 0 || h == 0 || w >= INT_MAX / h) {+ error(getPos(), "Bad bitmap size in JBIG2 halftone segment");
+ return;
+ }
+ if (gridH == 0 || gridW >= INT_MAX / gridH) {+ error(getPos(), "Bad grid size in JBIG2 halftone segment");
+ return;
+ }
// get pattern dictionary
if (nRefSegs != 1) {diff -cr xpdf-3.01.orig/xpdf/JPXStream.cc xpdf-3.01/xpdf/JPXStream.cc
*** xpdf-3.01.orig/xpdf/JPXStream.cc Tue Aug 16 22:34:31 2005
--- xpdf-3.01/xpdf/JPXStream.cc Tue Jan 17 17:14:06 2006
***************
*** 12,17 ****
--- 12,18 ----
#pragma implementation
#endif
+ #include <limits.h>
#include "gmem.h"
#include "Error.h"
#include "JArithmeticDecoder.h"
***************
*** 818,823 ****
--- 819,830 ----
/ img.xTileSize;
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
/ img.yTileSize;
+ // check for overflow before allocating memory
+ if (img.nXTiles <= 0 || img.nYTiles <= 0 ||
+ img.nXTiles >= INT_MAX / img.nYTiles) {+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
+ return gFalse;
+ }
img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles,
sizeof(JPXTile));
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {diff -cr xpdf-3.01.orig/xpdf/Stream.cc xpdf-3.01/xpdf/Stream.cc
*** xpdf-3.01.orig/xpdf/Stream.cc Tue Aug 16 22:34:31 2005
--- xpdf-3.01/xpdf/Stream.cc Tue Jan 17 17:31:52 2006
***************
*** 15,20 ****
--- 15,21 ----
#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
+ #include <limits.h>
#ifndef WIN32
#include <unistd.h>
#endif
***************
*** 406,418 ****
--- 407,432 ----
width = widthA;
nComps = nCompsA;
nBits = nBitsA;
+ predLine = NULL;
+ ok = gFalse;
nVals = width * nComps;
+ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+ nComps >= INT_MAX / nBits ||
+ width >= INT_MAX / nComps / nBits ||
+ nVals * nBits + 7 < 0) {+ return;
+ }
pixBytes = (nComps * nBits + 7) >> 3;
rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+ if (rowBytes <= 0) {+ return;
+ }
predLine = (Guchar *)gmalloc(rowBytes);
memset(predLine, 0, rowBytes);
predIdx = rowBytes;
+
+ ok = gTrue;
}
StreamPredictor::~StreamPredictor() {***************
*** 1004,1009 ****
--- 1018,1027 ----
FilterStream(strA) { if (predictor != 1) {pred = new StreamPredictor(this, predictor, columns, colors, bits);
+ if (!pred->isOk()) {+ delete pred;
+ pred = NULL;
+ }
} else {pred = NULL;
}
***************
*** 1259,1264 ****
--- 1277,1285 ----
if (columns < 1) {columns = 1;
}
+ if (columns + 4 <= 0) {+ columns = INT_MAX - 4;
+ }
rows = rowsA;
endOfBlock = endOfBlockA;
black = blackA;
***************
*** 2899,2904 ****
--- 2920,2930 ----
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {+ error(getPos(), "Bad number of components in DCT stream");
+ numComps = 0;
+ return gFalse;
+ }
if (prec != 8) {error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
***************
*** 2925,2930 ****
--- 2951,2961 ----
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {+ error(getPos(), "Bad number of components in DCT stream");
+ numComps = 0;
+ return gFalse;
+ }
if (prec != 8) {error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
***************
*** 2947,2952 ****
--- 2978,2988 ----
length = read16() - 2;
scanInfo.numComps = str->getChar();
+ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {+ error(getPos(), "Bad number of components in DCT stream");
+ scanInfo.numComps = 0;
+ return gFalse;
+ }
--length;
if (length != 2 * scanInfo.numComps + 3) {error(getPos(), "Bad DCT scan info block");
***************
*** 3041,3046 ****
--- 3077,3083 ----
numACHuffTables = index+1;
tbl = &acHuffTables[index];
} else {+ index &= 0x0f;
if (index >= numDCHuffTables)
numDCHuffTables = index+1;
tbl = &dcHuffTables[index];
***************
*** 3827,3832 ****
--- 3864,3873 ----
FilterStream(strA) { if (predictor != 1) {pred = new StreamPredictor(this, predictor, columns, colors, bits);
+ if (!pred->isOk()) {+ delete pred;
+ pred = NULL;
+ }
} else {pred = NULL;
}
diff -cr xpdf-3.01.orig/xpdf/Stream.h xpdf-3.01/xpdf/Stream.h
*** xpdf-3.01.orig/xpdf/Stream.h Tue Aug 16 22:34:31 2005
--- xpdf-3.01/xpdf/Stream.h Tue Jan 17 17:19:54 2006
***************
*** 232,237 ****
--- 232,239 ----
~StreamPredictor();
+ GBool isOk() { return ok; }+
int lookChar();
int getChar();
***************
*** 249,254 ****
--- 251,257 ----
int rowBytes; // bytes per line
Guchar *predLine; // line buffer
int predIdx; // current index in predLine
+ GBool ok;
};
//------------------------------------------------------------------------
***************
*** 527,533 ****
short getWhiteCode();
short getBlackCode();
short lookBits(int n);
! void eatBits(int n) { inputBits -= n; }};
//------------------------------------------------------------------------
--- 530,536 ----
short getWhiteCode();
short getBlackCode();
short lookBits(int n);
! void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; }};
//------------------------------------------------------------------------
diff -cr xpdf-3.01.orig/splash/SplashXPathScanner.cc xpdf-3.01/splash/SplashXPathScanner.cc
*** xpdf-3.01.orig/splash/SplashXPathScanner.cc Tue Aug 16 22:34:31 2005
--- xpdf-3.01/splash/SplashXPathScanner.cc Wed Feb 1 17:01:14 2006
***************
*** 186,192 ****
}
void SplashXPathScanner::computeIntersections(int y) {! SplashCoord ySegMin, ySegMax, xx0, xx1;
SplashXPathSeg *seg;
int i, j;
--- 186,192 ----
}
void SplashXPathScanner::computeIntersections(int y) {! SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1;
SplashXPathSeg *seg;
int i, j;
***************
*** 236,254 ****
} else if (seg->flags & splashXPathVert) {xx0 = xx1 = seg->x0;
} else {! if (ySegMin <= y) {! // intersection with top edge
! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
} else {! // x coord of segment endpoint with min y coord
! xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0;
}
! if (ySegMax >= y + 1) {! // intersection with bottom edge
! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
! } else {! // x coord of segment endpoint with max y coord
! xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1;
}
}
if (xx0 < xx1) {--- 236,262 ----
} else if (seg->flags & splashXPathVert) {xx0 = xx1 = seg->x0;
} else {! if (seg->x0 < seg->x1) {! xSegMin = seg->x0;
! xSegMax = seg->x1;
} else {! xSegMin = seg->x1;
! xSegMax = seg->x0;
}
! // intersection with top edge
! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
! // intersection with bottom edge
! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
! // the segment may not actually extend to the top and/or bottom edges
! if (xx0 < xSegMin) {! xx0 = xSegMin;
! } else if (xx0 > xSegMax) {! xx0 = xSegMax;
! }
! if (xx1 < xSegMin) {! xx1 = xSegMin;
! } else if (xx1 > xSegMax) {! xx1 = xSegMax;
}
}
if (xx0 < xx1) {