$NetBSD: patch-ak,v 1.4 2005/01/24 15:22:16 kei Exp $ --- libs/xpdf/xpdf/XRef.cc.original 2005-01-24 23:15:21.000000000 +0900 +++ libs/xpdf/xpdf/XRef.cc 2005-01-24 23:15:57.000000000 +0900 @@ -28,6 +28,7 @@ #include "Error.h" #include "ErrorCodes.h" #include "XRef.h" +#include //------------------------------------------------------------------------ @@ -76,6 +77,11 @@ // trailer is ok - read the xref table } else { + if ( size >= INT_MAX/sizeof(XRefEntry)) { + error(-1, "Invalid 'size' inside xref table."); + ok = gFalse; + return; + } entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry)); for (i = 0; i < size; ++i) { entries[i].offset = 0xffffffff; @@ -267,6 +273,10 @@ // table size if (first + n > size) { newSize = size + 256; + if (newSize >= INT_MAX/sizeof(XRefEntry)) { + error(-1, "Invalid 'newSize'"); + goto err2; + } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; @@ -410,6 +420,10 @@ if (!strncmp(p, "obj", 3)) { if (num >= size) { newSize = (num + 1 + 255) & ~255; + if (newSize >= INT_MAX / sizeof(XRefEntry)) { + error(-1, "Invalid 'obj' parameters."); + return gFalse; + } entries = (XRefEntry *) grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { @@ -431,6 +445,10 @@ } else if (!strncmp(p, "endstream", 9)) { if (streamEndsLen == streamEndsSize) { streamEndsSize += 64; + if (streamEndsSize >= INT_MAX/sizeof(int)) { + error(-1, "Invalid 'endstream' parameter."); + return gFalse; + } streamEnds = (Guint *)grealloc(streamEnds, streamEndsSize * sizeof(int)); } @@ -481,6 +499,9 @@ } else { keyLength = 5; } + if (keyLength > 16) { + keyLength = 16; + } permFlags = permissions.getInt(); if (encVersion >= 1 && encVersion <= 2 && encRevision >= 2 && encRevision <= 3) {