Annotation of /trunk/cups/patches/cups-1.1.22-xpdf2-underflow.patch
Parent Directory | Revision Log
Revision 144 -
(hide annotations)
(download)
Tue May 8 20:06:05 2007 UTC (17 years, 4 months ago) by niro
File size: 2301 byte(s)
Tue May 8 20:06:05 2007 UTC (17 years, 4 months ago) by niro
File size: 2301 byte(s)
-import
1 | niro | 144 | diff -ru XRef.cxx XRef.cxx |
2 | --- XRef.cxx 2004-10-29 15:16:45.790089001 +0200 | ||
3 | +++ XRef.cxx 2004-10-29 15:11:54.132168025 +0200 | ||
4 | @@ -66,6 +66,8 @@ | ||
5 | start = str->getStart(); | ||
6 | pos = readTrailer(); | ||
7 | |||
8 | + entries = NULL; | ||
9 | + | ||
10 | // if there was a problem with the trailer, | ||
11 | // try to reconstruct the xref table | ||
12 | if (pos == 0) { | ||
13 | @@ -76,7 +78,7 @@ | ||
14 | |||
15 | // trailer is ok - read the xref table | ||
16 | } else { | ||
17 | - if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) { | ||
18 | + if ((size < 0) || (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size)) { | ||
19 | error(-1, "Invalid 'size' inside xref table."); | ||
20 | ok = gFalse; | ||
21 | errCode = errDamaged; | ||
22 | @@ -181,7 +183,7 @@ | ||
23 | n = atoi(p); | ||
24 | while ('0' <= *p && *p <= '9') ++p; | ||
25 | while (isspace(*p)) ++p; | ||
26 | - if (p == buf) { | ||
27 | + if ((p == buf) || (n < 0)) /* must make progress */ { | ||
28 | goto err1; | ||
29 | } | ||
30 | pos1 += (p - buf) + n * 20; | ||
31 | @@ -255,6 +257,10 @@ | ||
32 | } | ||
33 | s[i] = '\0'; | ||
34 | first = atoi(s); | ||
35 | + if (first < 0) { | ||
36 | + error(-1, "Invalid 'first'"); | ||
37 | + goto err2; | ||
38 | + } | ||
39 | while ((c = str->lookChar()) != EOF && isspace(c)) { | ||
40 | str->getChar(); | ||
41 | } | ||
42 | @@ -266,6 +272,10 @@ | ||
43 | } | ||
44 | s[i] = '\0'; | ||
45 | n = atoi(s); | ||
46 | + if (n<=0) { | ||
47 | + error(-1, "Invalid 'n'"); | ||
48 | + goto err2; | ||
49 | + } | ||
50 | while ((c = str->lookChar()) != EOF && isspace(c)) { | ||
51 | str->getChar(); | ||
52 | } | ||
53 | @@ -273,7 +283,7 @@ | ||
54 | // table size | ||
55 | if (first + n > size) { | ||
56 | newSize = first + n; | ||
57 | - if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { | ||
58 | + if ((newSize < 0) || (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize)) { | ||
59 | error(-1, "Invalid 'newSize'"); | ||
60 | goto err2; | ||
61 | } | ||
62 | @@ -406,6 +416,10 @@ | ||
63 | // look for object | ||
64 | } else if (isdigit(*p)) { | ||
65 | num = atoi(p); | ||
66 | + if (num < 0) { | ||
67 | + error(-1, "Invalid 'num' parameters."); | ||
68 | + return gFalse; | ||
69 | + } | ||
70 | do { | ||
71 | ++p; | ||
72 | } while (*p && isdigit(*p)); | ||
73 | @@ -425,7 +439,7 @@ | ||
74 | if (!strncmp(p, "obj", 3)) { | ||
75 | if (num >= size) { | ||
76 | newSize = (num + 1 + 255) & ~255; | ||
77 | - if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { | ||
78 | + if ((newSize < 0) || (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize)) { | ||
79 | error(-1, "Invalid 'obj' parameters."); | ||
80 | return gFalse; | ||
81 | } |