You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
250 lines
6.4 KiB
250 lines
6.4 KiB
# --- ROCK-COPYRIGHT-NOTE-BEGIN ---
|
|
#
|
|
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
|
|
# Please add additional copyright information _after_ the line containing
|
|
# the ROCK-COPYRIGHT-NOTE-END tag. Otherwise it might get removed by
|
|
# the ./scripts/Create-CopyPatch script. Do not edit this copyright text!
|
|
#
|
|
# ROCK Linux: rock-src/package/rene/xpdf/xpdf-3.00pl1-overflowfix.patch.xpdf
|
|
# ROCK Linux is Copyright (C) 1998 - 2005 Clifford Wolf
|
|
#
|
|
# This patch file is dual-licensed. It is available under the license the
|
|
# patched project is licensed under, as long as it is an OpenSource license
|
|
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
|
|
# of the GNU General Public License as published by the Free Software
|
|
# Foundation; either version 2 of the License, or (at your option) any later
|
|
# version.
|
|
#
|
|
# --- ROCK-COPYRIGHT-NOTE-END ---
|
|
|
|
--- ./xpdf/XRef.cc.orig 2004-11-24 15:01:16.444656632 +0100
|
|
+++ ./xpdf/XRef.cc 2004-11-24 15:00:57.007611512 +0100
|
|
@@ -96,7 +96,7 @@
|
|
}
|
|
nObjects = obj1.getInt();
|
|
obj1.free();
|
|
- if (nObjects == 0) {
|
|
+ if (nObjects <= 0) {
|
|
goto err1;
|
|
}
|
|
|
|
@@ -106,6 +106,9 @@
|
|
}
|
|
first = obj1.getInt();
|
|
obj1.free();
|
|
+ if (first < 0) {
|
|
+ goto err1;
|
|
+ }
|
|
|
|
objs = new Object[nObjects];
|
|
objNums = (int *)gmalloc(nObjects * sizeof(int));
|
|
@@ -130,6 +133,12 @@
|
|
offsets[i] = obj2.getInt();
|
|
obj1.free();
|
|
obj2.free();
|
|
+ if (objNums[i] < 0 || offsets[i] < 0 ||
|
|
+ (i > 0 && offsets[i] < offsets[i-1])) {
|
|
+ delete parser;
|
|
+ gfree(offsets);
|
|
+ goto err1;
|
|
+ }
|
|
}
|
|
while (str->getChar() != EOF) ;
|
|
delete parser;
|
|
@@ -369,10 +378,16 @@
|
|
}
|
|
n = obj.getInt();
|
|
obj.free();
|
|
+ if (first < 0 || n < 0 || first + n < 0) {
|
|
+ goto err1;
|
|
+ }
|
|
if (first + n > size) {
|
|
for (newSize = size ? 2 * size : 1024;
|
|
- first + n > newSize;
|
|
+ first + n > newSize && newSize > 0;
|
|
newSize <<= 1) ;
|
|
+ if (newSize < 0) {
|
|
+ goto err1;
|
|
+ }
|
|
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
|
|
for (i = size; i < newSize; ++i) {
|
|
entries[i].offset = 0xffffffff;
|
|
@@ -443,7 +458,7 @@
|
|
|
|
// check for an 'XRefStm' key
|
|
if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) {
|
|
- pos2 = obj2.getInt();
|
|
+ pos2 = (Guint)obj2.getInt();
|
|
readXRef(&pos2);
|
|
if (!ok) {
|
|
goto err1;
|
|
@@ -474,6 +489,9 @@
|
|
}
|
|
newSize = obj.getInt();
|
|
obj.free();
|
|
+ if (newSize < 0) {
|
|
+ goto err1;
|
|
+ }
|
|
if (newSize > size) {
|
|
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
|
|
for (i = size; i < newSize; ++i) {
|
|
@@ -494,6 +512,9 @@
|
|
}
|
|
w[i] = obj2.getInt();
|
|
obj2.free();
|
|
+ if (w[i] < 0 || w[i] > 4) {
|
|
+ goto err1;
|
|
+ }
|
|
}
|
|
obj.free();
|
|
|
|
@@ -513,13 +534,14 @@
|
|
}
|
|
n = obj.getInt();
|
|
obj.free();
|
|
- if (!readXRefStreamSection(xrefStr, w, first, n)) {
|
|
+ if (first < 0 || n < 0 ||
|
|
+ !readXRefStreamSection(xrefStr, w, first, n)) {
|
|
idx.free();
|
|
goto err0;
|
|
}
|
|
}
|
|
} else {
|
|
- if (!readXRefStreamSection(xrefStr, w, 0, size)) {
|
|
+ if (!readXRefStreamSection(xrefStr, w, 0, newSize)) {
|
|
idx.free();
|
|
goto err0;
|
|
}
|
|
@@ -551,10 +573,16 @@
|
|
Guint offset;
|
|
int type, gen, c, newSize, i, j;
|
|
|
|
+ if (first + n < 0) {
|
|
+ return gFalse;
|
|
+ }
|
|
if (first + n > size) {
|
|
for (newSize = size ? 2 * size : 1024;
|
|
- first + n > newSize;
|
|
+ first + n > newSize && newSize > 0;
|
|
newSize <<= 1) ;
|
|
+ if (newSize < 0) {
|
|
+ return gFalse;
|
|
+ }
|
|
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
|
|
for (i = size; i < newSize; ++i) {
|
|
entries[i].offset = 0xffffffff;
|
|
@@ -585,24 +613,26 @@
|
|
}
|
|
gen = (gen << 8) + c;
|
|
}
|
|
- switch (type) {
|
|
- case 0:
|
|
- entries[i].offset = offset;
|
|
- entries[i].gen = gen;
|
|
- entries[i].type = xrefEntryFree;
|
|
- break;
|
|
- case 1:
|
|
- entries[i].offset = offset;
|
|
- entries[i].gen = gen;
|
|
- entries[i].type = xrefEntryUncompressed;
|
|
- break;
|
|
- case 2:
|
|
- entries[i].offset = offset;
|
|
- entries[i].gen = gen;
|
|
- entries[i].type = xrefEntryCompressed;
|
|
- break;
|
|
- default:
|
|
- return gFalse;
|
|
+ if (entries[i].offset == 0xffffffff) {
|
|
+ switch (type) {
|
|
+ case 0:
|
|
+ entries[i].offset = offset;
|
|
+ entries[i].gen = gen;
|
|
+ entries[i].type = xrefEntryFree;
|
|
+ break;
|
|
+ case 1:
|
|
+ entries[i].offset = offset;
|
|
+ entries[i].gen = gen;
|
|
+ entries[i].type = xrefEntryUncompressed;
|
|
+ break;
|
|
+ case 2:
|
|
+ entries[i].offset = offset;
|
|
+ entries[i].gen = gen;
|
|
+ entries[i].type = xrefEntryCompressed;
|
|
+ break;
|
|
+ default:
|
|
+ return gFalse;
|
|
+ }
|
|
}
|
|
}
|
|
|
|
@@ -664,38 +694,44 @@
|
|
// look for object
|
|
} else if (isdigit(*p)) {
|
|
num = atoi(p);
|
|
- do {
|
|
- ++p;
|
|
- } while (*p && isdigit(*p));
|
|
- if (isspace(*p)) {
|
|
+ if (num > 0) {
|
|
do {
|
|
++p;
|
|
- } while (*p && isspace(*p));
|
|
- if (isdigit(*p)) {
|
|
- gen = atoi(p);
|
|
+ } while (*p && isdigit(*p));
|
|
+ if (isspace(*p)) {
|
|
do {
|
|
++p;
|
|
- } while (*p && isdigit(*p));
|
|
- if (isspace(*p)) {
|
|
+ } while (*p && isspace(*p));
|
|
+ if (isdigit(*p)) {
|
|
+ gen = atoi(p);
|
|
do {
|
|
++p;
|
|
- } while (*p && isspace(*p));
|
|
- if (!strncmp(p, "obj", 3)) {
|
|
- if (num >= size) {
|
|
- newSize = (num + 1 + 255) & ~255;
|
|
- entries = (XRefEntry *)
|
|
- grealloc(entries, newSize * sizeof(XRefEntry));
|
|
- for (i = size; i < newSize; ++i) {
|
|
- entries[i].offset = 0xffffffff;
|
|
- entries[i].type = xrefEntryFree;
|
|
+ } while (*p && isdigit(*p));
|
|
+ if (isspace(*p)) {
|
|
+ do {
|
|
+ ++p;
|
|
+ } while (*p && isspace(*p));
|
|
+ if (!strncmp(p, "obj", 3)) {
|
|
+ if (num >= size) {
|
|
+ newSize = (num + 1 + 255) & ~255;
|
|
+ if (newSize < 0) {
|
|
+ error(-1, "Bad object number");
|
|
+ return gFalse;
|
|
+ }
|
|
+ entries = (XRefEntry *)
|
|
+ grealloc(entries, newSize * sizeof(XRefEntry));
|
|
+ for (i = size; i < newSize; ++i) {
|
|
+ entries[i].offset = 0xffffffff;
|
|
+ entries[i].type = xrefEntryFree;
|
|
+ }
|
|
+ size = newSize;
|
|
+ }
|
|
+ if (entries[num].type == xrefEntryFree ||
|
|
+ gen >= entries[num].gen) {
|
|
+ entries[num].offset = pos - start;
|
|
+ entries[num].gen = gen;
|
|
+ entries[num].type = xrefEntryUncompressed;
|
|
}
|
|
- size = newSize;
|
|
- }
|
|
- if (entries[num].type == xrefEntryFree ||
|
|
- gen >= entries[num].gen) {
|
|
- entries[num].offset = pos - start;
|
|
- entries[num].gen = gen;
|
|
- entries[num].type = xrefEntryUncompressed;
|
|
}
|
|
}
|
|
}
|