Annotation of /trunk/cups/patches/cups-1.1.22-xpdf2-underflow.patch
Parent Directory
| 
Revision Log
Revision 144 -
(hide annotations)
(download)
Tue May 8 20:06:05 2007 UTC (17 years, 1 month ago) by niro
File size: 2301 byte(s)
Tue May 8 20:06:05 2007 UTC (17 years, 1 month ago) by niro
File size: 2301 byte(s)
-import
| 1 | niro | 144 | diff -ru XRef.cxx XRef.cxx |
| 2 | --- XRef.cxx 2004-10-29 15:16:45.790089001 +0200 | ||
| 3 | +++ XRef.cxx 2004-10-29 15:11:54.132168025 +0200 | ||
| 4 | @@ -66,6 +66,8 @@ | ||
| 5 | start = str->getStart(); | ||
| 6 | pos = readTrailer(); | ||
| 7 | |||
| 8 | + entries = NULL; | ||
| 9 | + | ||
| 10 | // if there was a problem with the trailer, | ||
| 11 | // try to reconstruct the xref table | ||
| 12 | if (pos == 0) { | ||
| 13 | @@ -76,7 +78,7 @@ | ||
| 14 | |||
| 15 | // trailer is ok - read the xref table | ||
| 16 | } else { | ||
| 17 | - if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) { | ||
| 18 | + if ((size < 0) || (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size)) { | ||
| 19 | error(-1, "Invalid 'size' inside xref table."); | ||
| 20 | ok = gFalse; | ||
| 21 | errCode = errDamaged; | ||
| 22 | @@ -181,7 +183,7 @@ | ||
| 23 | n = atoi(p); | ||
| 24 | while ('0' <= *p && *p <= '9') ++p; | ||
| 25 | while (isspace(*p)) ++p; | ||
| 26 | - if (p == buf) { | ||
| 27 | + if ((p == buf) || (n < 0)) /* must make progress */ { | ||
| 28 | goto err1; | ||
| 29 | } | ||
| 30 | pos1 += (p - buf) + n * 20; | ||
| 31 | @@ -255,6 +257,10 @@ | ||
| 32 | } | ||
| 33 | s[i] = '\0'; | ||
| 34 | first = atoi(s); | ||
| 35 | + if (first < 0) { | ||
| 36 | + error(-1, "Invalid 'first'"); | ||
| 37 | + goto err2; | ||
| 38 | + } | ||
| 39 | while ((c = str->lookChar()) != EOF && isspace(c)) { | ||
| 40 | str->getChar(); | ||
| 41 | } | ||
| 42 | @@ -266,6 +272,10 @@ | ||
| 43 | } | ||
| 44 | s[i] = '\0'; | ||
| 45 | n = atoi(s); | ||
| 46 | + if (n<=0) { | ||
| 47 | + error(-1, "Invalid 'n'"); | ||
| 48 | + goto err2; | ||
| 49 | + } | ||
| 50 | while ((c = str->lookChar()) != EOF && isspace(c)) { | ||
| 51 | str->getChar(); | ||
| 52 | } | ||
| 53 | @@ -273,7 +283,7 @@ | ||
| 54 | // table size | ||
| 55 | if (first + n > size) { | ||
| 56 | newSize = first + n; | ||
| 57 | - if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { | ||
| 58 | + if ((newSize < 0) || (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize)) { | ||
| 59 | error(-1, "Invalid 'newSize'"); | ||
| 60 | goto err2; | ||
| 61 | } | ||
| 62 | @@ -406,6 +416,10 @@ | ||
| 63 | // look for object | ||
| 64 | } else if (isdigit(*p)) { | ||
| 65 | num = atoi(p); | ||
| 66 | + if (num < 0) { | ||
| 67 | + error(-1, "Invalid 'num' parameters."); | ||
| 68 | + return gFalse; | ||
| 69 | + } | ||
| 70 | do { | ||
| 71 | ++p; | ||
| 72 | } while (*p && isdigit(*p)); | ||
| 73 | @@ -425,7 +439,7 @@ | ||
| 74 | if (!strncmp(p, "obj", 3)) { | ||
| 75 | if (num >= size) { | ||
| 76 | newSize = (num + 1 + 255) & ~255; | ||
| 77 | - if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { | ||
| 78 | + if ((newSize < 0) || (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize)) { | ||
| 79 | error(-1, "Invalid 'obj' parameters."); | ||
| 80 | return gFalse; | ||
| 81 | } |