ALT Linux repositórios
S: | 4.04-alt1 |
5.0: | 3.02-alt4 |
4.1: | 3.02-alt4.M41.1 |
4.0: | 3.02-alt3 |
3.0: | 3.00-alt5pl3 |
+backports: | 3.01-alt0.M30.2 |
Group :: Escritórios
RPM: xpdf
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
Patch: xpdf-CESA-2004-007-xpdf3-new.diff
Download
Download
diff -Naur xpdf-3.00.orig/xpdf/Catalog.cc xpdf-3.00/xpdf/Catalog.cc
--- xpdf-3.00.orig/xpdf/Catalog.cc 2004-01-22 04:26:45 +0300
+++ xpdf-3.00/xpdf/Catalog.cc 2004-10-19 15:42:06 +0400
@@ -13,6 +13,7 @@
#endif
#include <stddef.h>
+#include <limits.h>
#include "gmem.h"
#include "Object.h"
#include "XRef.h"
@@ -64,6 +65,15 @@
}
pagesSize = numPages0 = (int)obj.getNum();
obj.free();
+ // The gcc doesnt optimize this away, so this check is ok,
+ // even if it looks like
+ if (pagesSize > UINT_MAX/sizeof(Page *) ||
+ pagesSize > UINT_MAX/sizeof(Ref)) {
+ error(-1, "Invalid 'pagesSize'");
+ ok = gFalse;
+ return;
+ }
+
pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
for (i = 0; i < pagesSize; ++i) {
@@ -191,6 +201,11 @@
}
if (start >= pagesSize) {
pagesSize += 32;
+ if (pagesSize > UINT_MAX/sizeof(Page *) ||
+ pagesSize > UINT_MAX/sizeof(Ref)) {
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }
pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
for (j = pagesSize - 32; j < pagesSize; ++j) {
diff -Naur xpdf-3.00.orig/xpdf/XRef.cc xpdf-3.00/xpdf/XRef.cc
--- xpdf-3.00.orig/xpdf/XRef.cc 2004-01-22 04:26:45 +0300
+++ xpdf-3.00/xpdf/XRef.cc 2004-10-19 15:41:00 +0400
@@ -16,6 +16,7 @@
#include <stddef.h>
#include <string.h>
#include <ctype.h>
+#include <limits.h>
#include "gmem.h"
#include "Object.h"
#include "Stream.h"
@@ -96,7 +97,7 @@
}
nObjects = obj1.getInt();
obj1.free();
- if (nObjects == 0) {
+ if (nObjects <= 0) {
goto err1;
}
@@ -106,7 +107,15 @@
}
first = obj1.getInt();
obj1.free();
+ if (first < 0) {
+ goto err1;
+ }
+ if (nObjects > UINT_MAX/sizeof(int)) {
+ error(-1, "Invalid 'nObjects'");
+ goto err1;
+ }
+
objs = new Object[nObjects];
objNums = (int *)gmalloc(nObjects * sizeof(int));
offsets = (int *)gmalloc(nObjects * sizeof(int));
@@ -130,6 +139,12 @@
offsets[i] = obj2.getInt();
obj1.free();
obj2.free();
+ if (objNums[i] < 0 || offsets[i] < 0 ||
+ (i > 0 && offsets[i] < offsets[i-1])) {
+ delete parser;
+ gfree(offsets);
+ goto err1;
+ }
}
while (str->getChar() != EOF) ;
delete parser;
@@ -369,10 +384,21 @@
}
n = obj.getInt();
obj.free();
+ if (first < 0 || n < 0 || first + n < 0) {
+ goto err1;
+ }
if (first + n > size) {
for (newSize = size ? 2 * size : 1024;
- first + n > newSize;
+ first + n > newSize && newSize > 0;
newSize <<= 1) ;
+ if (newSize < 0) {
+ goto err1;
+ }
+ if (newSize > UINT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'obj' parameters'");
+ goto err1;
+ }
+
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
entries[i].offset = 0xffffffff;
@@ -443,7 +469,7 @@
// check for an 'XRefStm' key
if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) {
- pos2 = obj2.getInt();
+ pos2 = (Guint)obj2.getInt();
readXRef(&pos2);
if (!ok) {
goto err1;
@@ -474,7 +500,14 @@
}
newSize = obj.getInt();
obj.free();
+ if (newSize < 0) {
+ goto err1;
+ }
if (newSize > size) {
+ if (newSize > UINT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'size' parameter.");
+ return gFalse;
+ }
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
entries[i].offset = 0xffffffff;
@@ -494,6 +527,9 @@
}
w[i] = obj2.getInt();
obj2.free();
+ if (w[i] < 0 || w[i] > 4) {
+ goto err1;
+ }
}
obj.free();
@@ -513,13 +549,14 @@
}
n = obj.getInt();
obj.free();
- if (!readXRefStreamSection(xrefStr, w, first, n)) {
+ if (first < 0 || n < 0 ||
+ !readXRefStreamSection(xrefStr, w, first, n)) {
idx.free();
goto err0;
}
}
} else {
- if (!readXRefStreamSection(xrefStr, w, 0, size)) {
+ if (!readXRefStreamSection(xrefStr, w, 0, newSize)) {
idx.free();
goto err0;
}
@@ -551,10 +588,20 @@
Guint offset;
int type, gen, c, newSize, i, j;
+ if (first + n < 0) {
+ return gFalse;
+ }
if (first + n > size) {
for (newSize = size ? 2 * size : 1024;
- first + n > newSize;
+ first + n > newSize && newSize > 0;
newSize <<= 1) ;
+ if (newSize < 0) {
+ return gFalse;
+ }
+ if (newSize > UINT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'size' inside xref table.");
+ return gFalse;
+ }
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
entries[i].offset = 0xffffffff;
@@ -585,24 +632,26 @@
}
gen = (gen << 8) + c;
}
- switch (type) {
- case 0:
- entries[i].offset = offset;
- entries[i].gen = gen;
- entries[i].type = xrefEntryFree;
- break;
- case 1:
- entries[i].offset = offset;
- entries[i].gen = gen;
- entries[i].type = xrefEntryUncompressed;
- break;
- case 2:
- entries[i].offset = offset;
- entries[i].gen = gen;
- entries[i].type = xrefEntryCompressed;
- break;
- default:
- return gFalse;
+ if (entries[i].offset == 0xffffffff) {
+ switch (type) {
+ case 0:
+ entries[i].offset = offset;
+ entries[i].gen = gen;
+ entries[i].type = xrefEntryFree;
+ break;
+ case 1:
+ entries[i].offset = offset;
+ entries[i].gen = gen;
+ entries[i].type = xrefEntryUncompressed;
+ break;
+ case 2:
+ entries[i].offset = offset;
+ entries[i].gen = gen;
+ entries[i].type = xrefEntryCompressed;
+ break;
+ default:
+ return gFalse;
+ }
}
}
@@ -664,38 +713,48 @@
// look for object
} else if (isdigit(*p)) {
num = atoi(p);
- do {
- ++p;
- } while (*p && isdigit(*p));
- if (isspace(*p)) {
+ if (num > 0) {
do {
++p;
- } while (*p && isspace(*p));
- if (isdigit(*p)) {
- gen = atoi(p);
+ } while (*p && isdigit(*p));
+ if (isspace(*p)) {
do {
++p;
- } while (*p && isdigit(*p));
- if (isspace(*p)) {
+ } while (*p && isspace(*p));
+ if (isdigit(*p)) {
+ gen = atoi(p);
do {
++p;
- } while (*p && isspace(*p));
- if (!strncmp(p, "obj", 3)) {
- if (num >= size) {
- newSize = (num + 1 + 255) & ~255;
- entries = (XRefEntry *)
- grealloc(entries, newSize * sizeof(XRefEntry));
- for (i = size; i < newSize; ++i) {
- entries[i].offset = 0xffffffff;
- entries[i].type = xrefEntryFree;
+ } while (*p && isdigit(*p));
+ if (isspace(*p)) {
+ do {
+ ++p;
+ } while (*p && isspace(*p));
+ if (!strncmp(p, "obj", 3)) {
+ if (num >= size) {
+ newSize = (num + 1 + 255) & ~255;
+ if (newSize < 0) {
+ error(-1, "Bad object number");
+ return gFalse;
+ }
+ if (newSize > UINT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'obj' parameters.");
+ return gFalse;
+ }
+ entries = (XRefEntry *)
+ grealloc(entries, newSize * sizeof(XRefEntry));
+ for (i = size; i < newSize; ++i) {
+ entries[i].offset = 0xffffffff;
+ entries[i].type = xrefEntryFree;
+ }
+ size = newSize;
+ }
+ if (entries[num].type == xrefEntryFree ||
+ gen >= entries[num].gen) {
+ entries[num].offset = pos - start;
+ entries[num].gen = gen;
+ entries[num].type = xrefEntryUncompressed;
}
- size = newSize;
- }
- if (entries[num].type == xrefEntryFree ||
- gen >= entries[num].gen) {
- entries[num].offset = pos - start;
- entries[num].gen = gen;
- entries[num].type = xrefEntryUncompressed;
}
}
}
@@ -705,6 +764,10 @@
} else if (!strncmp(p, "endstream", 9)) {
if (streamEndsLen == streamEndsSize) {
streamEndsSize += 64;
+ if (streamEndsSize > UINT_MAX/sizeof(int)) {
+ error(-1, "Invalid 'endstream' parameter.");
+ return gFalse;
+ }
streamEnds = (Guint *)grealloc(streamEnds,
streamEndsSize * sizeof(int));
}