$NetBSD: patch-ak,v 1.1.1.1 2005/03/31 22:09:18 hubertf Exp $ --- libs/xpdf/xpdf/XRef.cc.orig 2005-01-19 12:09:57.000000000 +0000 +++ libs/xpdf/xpdf/XRef.cc @@ -28,6 +28,7 @@ #include "Error.h" #include "ErrorCodes.h" #include "XRef.h" +#include //------------------------------------------------------------------------ @@ -388,6 +389,10 @@ GBool XRef::readXRefTable(Parser *parser if (newSize < 0) { goto err1; } + if (newSize >= INT_MAX/sizeof(XRefEntry)) { + error(-1, "Invalid 'newSize'"); + goto err1; + } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; @@ -493,6 +498,10 @@ GBool XRef::readXRefStream(Stream *xrefS goto err1; } if (newSize > size) { + if (newSize >= INT_MAX/sizeof(XRefEntry)) { + error(-1, "Invalid 'newSize'"); + goto err1; + } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; @@ -583,6 +592,10 @@ GBool XRef::readXRefStreamSection(Stream if (newSize < 0) { return gFalse; } + if (newSize >= INT_MAX / sizeof(XRefEntry)) { + error(-1, "Invalid 'obj' parameters."); + return gFalse; + } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; @@ -718,6 +731,10 @@ GBool XRef::constructXRef() { error(-1, "Bad object number"); return gFalse; } + if (newSize >= INT_MAX / sizeof(XRefEntry)) { + error(-1, "Invalid 'newSize' parameters."); + return gFalse; + } entries = (XRefEntry *) grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { @@ -741,6 +758,10 @@ GBool XRef::constructXRef() { } else if (!strncmp(p, "endstream", 9)) { if (streamEndsLen == streamEndsSize) { streamEndsSize += 64; + if (streamEndsSize >= INT_MAX/sizeof(int)) { + error(-1, "Invalid 'streamEndSize' parameter."); + return gFalse; + } streamEnds = (Guint *)grealloc(streamEnds, streamEndsSize * sizeof(int)); }