|
|
# --- ROCK-COPYRIGHT-NOTE-BEGIN ---# # This copyright note is auto-generated by ./scripts/Create-CopyPatch.# Please add additional copyright information _after_ the line containing# the ROCK-COPYRIGHT-NOTE-END tag. Otherwise it might get removed by# the ./scripts/Create-CopyPatch script. Do not edit this copyright text!# # ROCK Linux: rock-src/package/rene/xpdf/xpdf-3.00pl1-overflowfix.patch.xpdf# ROCK Linux is Copyright (C) 1998 - 2005 Clifford Wolf# # This patch file is dual-licensed. It is available under the license the# patched project is licensed under, as long as it is an OpenSource license# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms# of the GNU General Public License as published by the Free Software# Foundation; either version 2 of the License, or (at your option) any later# version.# # --- ROCK-COPYRIGHT-NOTE-END ---
--- ./xpdf/XRef.cc.orig 2004-11-24 15:01:16.444656632 +0100+++ ./xpdf/XRef.cc 2004-11-24 15:00:57.007611512 +0100@@ -96,7 +96,7 @@ } nObjects = obj1.getInt(); obj1.free();- if (nObjects == 0) {+ if (nObjects <= 0) { goto err1; } @@ -106,6 +106,9 @@ } first = obj1.getInt(); obj1.free();+ if (first < 0) {+ goto err1;+ } objs = new Object[nObjects]; objNums = (int *)gmalloc(nObjects * sizeof(int));@@ -130,6 +133,12 @@ offsets[i] = obj2.getInt(); obj1.free(); obj2.free();+ if (objNums[i] < 0 || offsets[i] < 0 ||+ (i > 0 && offsets[i] < offsets[i-1])) {+ delete parser;+ gfree(offsets);+ goto err1;+ } } while (str->getChar() != EOF) ; delete parser;@@ -369,10 +378,16 @@ } n = obj.getInt(); obj.free();+ if (first < 0 || n < 0 || first + n < 0) {+ goto err1;+ } if (first + n > size) { for (newSize = size ? 2 * size : 1024;- first + n > newSize;+ first + n > newSize && newSize > 0; newSize <<= 1) ;+ if (newSize < 0) {+ goto err1;+ } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff;@@ -443,7 +458,7 @@ // check for an 'XRefStm' key if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) {- pos2 = obj2.getInt();+ pos2 = (Guint)obj2.getInt(); readXRef(&pos2); if (!ok) { goto err1;@@ -474,6 +489,9 @@ } newSize = obj.getInt(); obj.free();+ if (newSize < 0) {+ goto err1;+ } if (newSize > size) { entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) {@@ -494,6 +512,9 @@ } w[i] = obj2.getInt(); obj2.free();+ if (w[i] < 0 || w[i] > 4) {+ goto err1;+ } } obj.free(); @@ -513,13 +534,14 @@ } n = obj.getInt(); obj.free();- if (!readXRefStreamSection(xrefStr, w, first, n)) {+ if (first < 0 || n < 0 ||+ !readXRefStreamSection(xrefStr, w, first, n)) { idx.free(); goto err0; } } } else {- if (!readXRefStreamSection(xrefStr, w, 0, size)) {+ if (!readXRefStreamSection(xrefStr, w, 0, newSize)) { idx.free(); goto err0; }@@ -551,10 +573,16 @@ Guint offset; int type, gen, c, newSize, i, j; + if (first + n < 0) {+ return gFalse;+ } if (first + n > size) { for (newSize = size ? 2 * size : 1024;- first + n > newSize;+ first + n > newSize && newSize > 0; newSize <<= 1) ;+ if (newSize < 0) {+ return gFalse;+ } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff;@@ -585,24 +613,26 @@ } gen = (gen << 8) + c; }- switch (type) {- case 0:- entries[i].offset = offset;- entries[i].gen = gen;- entries[i].type = xrefEntryFree;- break;- case 1:- entries[i].offset = offset;- entries[i].gen = gen;- entries[i].type = xrefEntryUncompressed;- break;- case 2:- entries[i].offset = offset;- entries[i].gen = gen;- entries[i].type = xrefEntryCompressed;- break;- default:- return gFalse;+ if (entries[i].offset == 0xffffffff) {+ switch (type) {+ case 0:+ entries[i].offset = offset;+ entries[i].gen = gen;+ entries[i].type = xrefEntryFree;+ break;+ case 1:+ entries[i].offset = offset;+ entries[i].gen = gen;+ entries[i].type = xrefEntryUncompressed;+ break;+ case 2:+ entries[i].offset = offset;+ entries[i].gen = gen;+ entries[i].type = xrefEntryCompressed;+ break;+ default:+ return gFalse;+ } } } @@ -664,38 +694,44 @@ // look for object } else if (isdigit(*p)) { num = atoi(p);- do {- ++p;- } while (*p && isdigit(*p));- if (isspace(*p)) {+ if (num > 0) { do { ++p;- } while (*p && isspace(*p));- if (isdigit(*p)) {- gen = atoi(p);+ } while (*p && isdigit(*p));+ if (isspace(*p)) { do { ++p;- } while (*p && isdigit(*p));- if (isspace(*p)) {+ } while (*p && isspace(*p));+ if (isdigit(*p)) {+ gen = atoi(p); do { ++p;- } while (*p && isspace(*p));- if (!strncmp(p, "obj", 3)) {- if (num >= size) {- newSize = (num + 1 + 255) & ~255;- entries = (XRefEntry *)- grealloc(entries, newSize * sizeof(XRefEntry));- for (i = size; i < newSize; ++i) {- entries[i].offset = 0xffffffff;- entries[i].type = xrefEntryFree;+ } while (*p && isdigit(*p));+ if (isspace(*p)) {+ do {+ ++p;+ } while (*p && isspace(*p));+ if (!strncmp(p, "obj", 3)) {+ if (num >= size) {+ newSize = (num + 1 + 255) & ~255;+ if (newSize < 0) {+ error(-1, "Bad object number");+ return gFalse;+ }+ entries = (XRefEntry *)+ grealloc(entries, newSize * sizeof(XRefEntry));+ for (i = size; i < newSize; ++i) {+ entries[i].offset = 0xffffffff;+ entries[i].type = xrefEntryFree;+ }+ size = newSize;+ }+ if (entries[num].type == xrefEntryFree ||+ gen >= entries[num].gen) {+ entries[num].offset = pos - start;+ entries[num].gen = gen;+ entries[num].type = xrefEntryUncompressed; }- size = newSize;- }- if (entries[num].type == xrefEntryFree ||- gen >= entries[num].gen) {- entries[num].offset = pos - start;- entries[num].gen = gen;- entries[num].type = xrefEntryUncompressed; } } }
|
