blob: 87022ae50da84b39d547e16a3c1c8da5e172335c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
$NetBSD: patch-aj,v 1.1.1.1 2005/03/31 22:09:18 hubertf Exp $
--- libs/xpdf/xpdf/Catalog.cc.orig 2004-01-22 01:26:45.000000000 +0000
+++ libs/xpdf/xpdf/Catalog.cc
@@ -22,6 +22,7 @@
#include "Error.h"
#include "Link.h"
#include "Catalog.h"
+#include <limits.h>
//------------------------------------------------------------------------
// Catalog
@@ -64,6 +65,12 @@ Catalog::Catalog(XRef *xrefA) {
}
pagesSize = numPages0 = (int)obj.getNum();
obj.free();
+ if ((pagesSize >= INT_MAX / sizeof(Page *)) ||
+ (pagesSize >= INT_MAX / sizeof(Ref))) {
+ error(-1, "Invalid 'pagesSize'");
+ ok = gFalse;
+ return;
+ }
pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
for (i = 0; i < pagesSize; ++i) {
@@ -191,6 +198,11 @@ int Catalog::readPageTree(Dict *pagesDic
}
if (start >= pagesSize) {
pagesSize += 32;
+ if ((pagesSize >= INT_MAX/sizeof(Page *)) ||
+ (pagesSize >= INT_MAX/sizeof(Ref))) {
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }
pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
for (j = pagesSize - 32; j < pagesSize; ++j) {
|