Contents of /trunk/cups/patches/cups-1.1.22-xpdf2-underflow.patch
Parent Directory
| 
Revision Log
Revision 144 -
(show annotations)
(download)
Tue May 8 20:06:05 2007 UTC (17 years ago) by niro
File size: 2301 byte(s)
Tue May 8 20:06:05 2007 UTC (17 years ago) by niro
File size: 2301 byte(s)
-import
| 1 | diff -ru XRef.cxx XRef.cxx |
| 2 | --- XRef.cxx 2004-10-29 15:16:45.790089001 +0200 |
| 3 | +++ XRef.cxx 2004-10-29 15:11:54.132168025 +0200 |
| 4 | @@ -66,6 +66,8 @@ |
| 5 | start = str->getStart(); |
| 6 | pos = readTrailer(); |
| 7 | |
| 8 | + entries = NULL; |
| 9 | + |
| 10 | // if there was a problem with the trailer, |
| 11 | // try to reconstruct the xref table |
| 12 | if (pos == 0) { |
| 13 | @@ -76,7 +78,7 @@ |
| 14 | |
| 15 | // trailer is ok - read the xref table |
| 16 | } else { |
| 17 | - if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) { |
| 18 | + if ((size < 0) || (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size)) { |
| 19 | error(-1, "Invalid 'size' inside xref table."); |
| 20 | ok = gFalse; |
| 21 | errCode = errDamaged; |
| 22 | @@ -181,7 +183,7 @@ |
| 23 | n = atoi(p); |
| 24 | while ('0' <= *p && *p <= '9') ++p; |
| 25 | while (isspace(*p)) ++p; |
| 26 | - if (p == buf) { |
| 27 | + if ((p == buf) || (n < 0)) /* must make progress */ { |
| 28 | goto err1; |
| 29 | } |
| 30 | pos1 += (p - buf) + n * 20; |
| 31 | @@ -255,6 +257,10 @@ |
| 32 | } |
| 33 | s[i] = '\0'; |
| 34 | first = atoi(s); |
| 35 | + if (first < 0) { |
| 36 | + error(-1, "Invalid 'first'"); |
| 37 | + goto err2; |
| 38 | + } |
| 39 | while ((c = str->lookChar()) != EOF && isspace(c)) { |
| 40 | str->getChar(); |
| 41 | } |
| 42 | @@ -266,6 +272,10 @@ |
| 43 | } |
| 44 | s[i] = '\0'; |
| 45 | n = atoi(s); |
| 46 | + if (n<=0) { |
| 47 | + error(-1, "Invalid 'n'"); |
| 48 | + goto err2; |
| 49 | + } |
| 50 | while ((c = str->lookChar()) != EOF && isspace(c)) { |
| 51 | str->getChar(); |
| 52 | } |
| 53 | @@ -273,7 +283,7 @@ |
| 54 | // table size |
| 55 | if (first + n > size) { |
| 56 | newSize = first + n; |
| 57 | - if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { |
| 58 | + if ((newSize < 0) || (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize)) { |
| 59 | error(-1, "Invalid 'newSize'"); |
| 60 | goto err2; |
| 61 | } |
| 62 | @@ -406,6 +416,10 @@ |
| 63 | // look for object |
| 64 | } else if (isdigit(*p)) { |
| 65 | num = atoi(p); |
| 66 | + if (num < 0) { |
| 67 | + error(-1, "Invalid 'num' parameters."); |
| 68 | + return gFalse; |
| 69 | + } |
| 70 | do { |
| 71 | ++p; |
| 72 | } while (*p && isdigit(*p)); |
| 73 | @@ -425,7 +439,7 @@ |
| 74 | if (!strncmp(p, "obj", 3)) { |
| 75 | if (num >= size) { |
| 76 | newSize = (num + 1 + 255) & ~255; |
| 77 | - if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { |
| 78 | + if ((newSize < 0) || (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize)) { |
| 79 | error(-1, "Invalid 'obj' parameters."); |
| 80 | return gFalse; |
| 81 | } |