|
|
Index: kpdf/xpdf/xpdf/JBIG2Stream.cc
===================================================================
--- ./kpdf/xpdf/xpdf/JBIG2Stream.cc (revision 481099)
+++ ./kpdf/xpdf/xpdf/JBIG2Stream.cc (revision 488715)
@@ -7,6 +7,7 @@
//======================================================================== #include <aconf.h>+#include <limits.h>
#ifdef USE_GCC_PRAGMAS #pragma implementation@@ -681,6 +682,12 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
w = wA; h = hA; line = (wA + 7) >> 3;+
+ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line ) {
+ data = NULL;
+ return;
+ }
+
// need to allocate one extra guard byte for use in combine() data = (Guchar *)gmalloc(h * line + 1); data[h * line] = 0;@@ -692,6 +699,12 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
w = bitmap->w; h = bitmap->h; line = bitmap->line;+
+ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+ data = NULL;
+ return;
+ }
+
// need to allocate one extra guard byte for use in combine() data = (Guchar *)gmalloc(h * line + 1); memcpy(data, bitmap->data, h * line);@@ -720,7 +733,8 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint
} void JBIG2Bitmap::expand(int newH, Guint pixel) {- if (newH <= h) {
+
+ if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) {
return; } // need to allocate one extra guard byte for use in combine()@@ -2305,6 +2319,15 @@ void JBIG2Stream::readHalftoneRegionSeg(
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); return; }+ if (gridH == 0 || gridW >= INT_MAX / gridH) {
+ error(getPos(), "Bad size in JBIG2 halftone segment");
+ return;
+ }
+ if (h < 0 || w == 0 || h >= INT_MAX / w) {
+ error(getPos(), "Bad size in JBIG2 bitmap segment");
+ return;
+ }
+
patternDict = (JBIG2PatternDict *)seg; bpp = 0; i = 1;@@ -2936,6 +2959,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef
JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2; int x, y, pix; + if (w < 0 || h <= 0 || w >= INT_MAX / h)
+ return NULL;
+
bitmap = new JBIG2Bitmap(0, w, h); bitmap->clearToZero(); Index: kpdf/xpdf/xpdf/Stream.cc
===================================================================
--- ./kpdf/xpdf/xpdf/Stream.cc (revision 481099)
+++ ./kpdf/xpdf/xpdf/Stream.cc (revision 488715)
@@ -15,6 +15,7 @@
#include <stdio.h> #include <stdlib.h> #include <stddef.h>+#include <limits.h>
#ifndef WIN32 #include <unistd.h> #endif@@ -408,13 +409,27 @@ StreamPredictor::StreamPredictor(Stream
width = widthA; nComps = nCompsA; nBits = nBitsA;+ predLine = NULL;
+ ok = gFalse;
+
+ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+ nComps >= INT_MAX / nBits ||
+ width >= INT_MAX / nComps / nBits)
+ return;
nVals = width * nComps;+ if (nVals * nBits + 7 <= 0)
+ return;
pixBytes = (nComps * nBits + 7) >> 3; rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;+ if (rowBytes < 0)
+ return;
+
predLine = (Guchar *)gmalloc(rowBytes); memset(predLine, 0, rowBytes); predIdx = rowBytes;+
+ ok = gTrue;
} StreamPredictor::~StreamPredictor() {@@ -1006,6 +1021,10 @@ LZWStream::LZWStream(Stream *strA, int p
FilterStream(strA) { if (predictor != 1) { pred = new StreamPredictor(this, predictor, columns, colors, bits);+ if (!pred->isOk()) {
+ delete pred;
+ pred = NULL;
+ }
} else { pred = NULL; }@@ -1258,8 +1277,9 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
endOfLine = endOfLineA; byteAlign = byteAlignA; columns = columnsA;- if (columns < 1) {
- columns = 1;
+ if (columns < 1 || columns >= INT_MAX / sizeof(short)) {
+ error(getPos(), "Bad number of columns in CCITTFaxStream");
+ exit(1);
} rows = rowsA; endOfBlock = endOfBlockA;@@ -2903,7 +2923,12 @@ GBool DCTStream::readBaselineSOF() {
height = read16(); width = read16(); numComps = str->getChar();- if (prec != 8) {
+ if (numComps <= 0 || numComps > 4) {
+ numComps = 0;
+ error(getPos(), "Bad number of components in DCT stream", prec);
+ return gFalse;
+ }
+ if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec); return gFalse; }@@ -2929,6 +2954,11 @@ GBool DCTStream::readProgressiveSOF() {
height = read16(); width = read16(); numComps = str->getChar();+ if (numComps <= 0 || numComps > 4) {
+ numComps = 0;
+ error(getPos(), "Bad number of components in DCT stream");
+ return gFalse;
+ }
if (prec != 8) { error(getPos(), "Bad DCT precision %d", prec); return gFalse;@@ -2951,6 +2981,11 @@ GBool DCTStream::readScanInfo() {
length = read16() - 2; scanInfo.numComps = str->getChar();+ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
+ scanInfo.numComps = 0;
+ error(getPos(), "Bad number of components in DCT stream");
+ return gFalse;
+ }
--length; if (length != 2 * scanInfo.numComps + 3) { error(getPos(), "Bad DCT scan info block");@@ -3035,12 +3070,12 @@ GBool DCTStream::readHuffmanTables() {
while (length > 0) { index = str->getChar(); --length;- if ((index & 0x0f) >= 4) {
+ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
error(getPos(), "Bad DCT Huffman table"); return gFalse; } if (index & 0x10) {- index &= 0x0f;
+ index &= 0x03;
if (index >= numACHuffTables) numACHuffTables = index+1; tbl = &acHuffTables[index];@@ -3833,6 +3868,10 @@ FlateStream::FlateStream(Stream *strA, i
FilterStream(strA) { if (predictor != 1) { pred = new StreamPredictor(this, predictor, columns, colors, bits);+ if (!pred->isOk()) {
+ delete pred;
+ pred = NULL;
+ }
} else { pred = NULL; }Index: kpdf/xpdf/xpdf/Stream.h
===================================================================
--- ./kpdf/xpdf/xpdf/Stream.h (revision 481099)
+++ ./kpdf/xpdf/xpdf/Stream.h (revision 488715)
@@ -232,6 +232,8 @@ public:
~StreamPredictor(); + GBool isOk() { return ok; }
+
int lookChar(); int getChar(); @@ -249,6 +251,7 @@ private:
int rowBytes; // bytes per line Guchar *predLine; // line buffer int predIdx; // current index in predLine+ GBool ok;
}; //--------------------------------------------------------------------------- ./kpdf/xpdf/xpdf/JPXStream.cc (revision 481099)
+++ ./kpdf/xpdf/xpdf/JPXStream.cc (revision 488715)
@@ -7,6 +7,7 @@
//======================================================================== #include <aconf.h>+#include <limits.h>
#ifdef USE_GCC_PRAGMAS #pragma implementation@@ -783,7 +784,7 @@ GBool JPXStream::readCodestream(Guint /*
int segType; GBool haveSIZ, haveCOD, haveQCD, haveSOT; Guint precinctSize, style;- Guint segLen, capabilities, comp, i, j, r;
+ Guint segLen, capabilities, nTiles, comp, i, j, r;
//----- main header haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;@@ -818,8 +819,13 @@ GBool JPXStream::readCodestream(Guint /*
/ img.xTileSize; img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) / img.yTileSize;- img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles,
- sizeof(JPXTile));
+ nTiles = img.nXTiles * img.nYTiles;
+ // check for overflow before allocating memory
+ if (img.nXTiles <= 0 || img.nYTiles <= 0 || img.nXTiles >= INT_MAX / img.nYTiles) {
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
+ return gFalse;
+ }
+ img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps, sizeof(JPXTileComp));Index: kpdf/xpdf/goo/gmem.c
===================================================================
--- ./kpdf/xpdf/goo/gmem.c (revision 481099)
+++ ./kpdf/xpdf/goo/gmem.c (revision 488715)
@@ -11,6 +11,7 @@
#include <stdlib.h> #include <stddef.h> #include <string.h>+#include <limits.h>
#include "gmem.h" #ifdef DEBUG_MEM@@ -141,7 +142,7 @@ void *gmallocn(int nObjs, int objSize) {
int n; n = nObjs * objSize;- if (objSize == 0 || n / objSize != nObjs) {
+ if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
fprintf(stderr, "Bogus memory allocation size\n"); exit(1); }@@ -152,7 +153,7 @@ void *greallocn(void *p, int nObjs, int
int n; n = nObjs * objSize;- if (objSize == 0 || n / objSize != nObjs) {
+ if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
fprintf(stderr, "Bogus memory allocation size\n"); exit(1); }
|
