Contents of /trunk/cups/patches/cups-1.1.22-xpdf2-underflow.patch
Parent Directory | Revision Log
Revision 144 -
(show annotations)
(download)
Tue May 8 20:06:05 2007 UTC (17 years, 4 months ago) by niro
File size: 2301 byte(s)
Tue May 8 20:06:05 2007 UTC (17 years, 4 months ago) by niro
File size: 2301 byte(s)
-import
1 | diff -ru XRef.cxx XRef.cxx |
2 | --- XRef.cxx 2004-10-29 15:16:45.790089001 +0200 |
3 | +++ XRef.cxx 2004-10-29 15:11:54.132168025 +0200 |
4 | @@ -66,6 +66,8 @@ |
5 | start = str->getStart(); |
6 | pos = readTrailer(); |
7 | |
8 | + entries = NULL; |
9 | + |
10 | // if there was a problem with the trailer, |
11 | // try to reconstruct the xref table |
12 | if (pos == 0) { |
13 | @@ -76,7 +78,7 @@ |
14 | |
15 | // trailer is ok - read the xref table |
16 | } else { |
17 | - if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) { |
18 | + if ((size < 0) || (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size)) { |
19 | error(-1, "Invalid 'size' inside xref table."); |
20 | ok = gFalse; |
21 | errCode = errDamaged; |
22 | @@ -181,7 +183,7 @@ |
23 | n = atoi(p); |
24 | while ('0' <= *p && *p <= '9') ++p; |
25 | while (isspace(*p)) ++p; |
26 | - if (p == buf) { |
27 | + if ((p == buf) || (n < 0)) /* must make progress */ { |
28 | goto err1; |
29 | } |
30 | pos1 += (p - buf) + n * 20; |
31 | @@ -255,6 +257,10 @@ |
32 | } |
33 | s[i] = '\0'; |
34 | first = atoi(s); |
35 | + if (first < 0) { |
36 | + error(-1, "Invalid 'first'"); |
37 | + goto err2; |
38 | + } |
39 | while ((c = str->lookChar()) != EOF && isspace(c)) { |
40 | str->getChar(); |
41 | } |
42 | @@ -266,6 +272,10 @@ |
43 | } |
44 | s[i] = '\0'; |
45 | n = atoi(s); |
46 | + if (n<=0) { |
47 | + error(-1, "Invalid 'n'"); |
48 | + goto err2; |
49 | + } |
50 | while ((c = str->lookChar()) != EOF && isspace(c)) { |
51 | str->getChar(); |
52 | } |
53 | @@ -273,7 +283,7 @@ |
54 | // table size |
55 | if (first + n > size) { |
56 | newSize = first + n; |
57 | - if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { |
58 | + if ((newSize < 0) || (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize)) { |
59 | error(-1, "Invalid 'newSize'"); |
60 | goto err2; |
61 | } |
62 | @@ -406,6 +416,10 @@ |
63 | // look for object |
64 | } else if (isdigit(*p)) { |
65 | num = atoi(p); |
66 | + if (num < 0) { |
67 | + error(-1, "Invalid 'num' parameters."); |
68 | + return gFalse; |
69 | + } |
70 | do { |
71 | ++p; |
72 | } while (*p && isdigit(*p)); |
73 | @@ -425,7 +439,7 @@ |
74 | if (!strncmp(p, "obj", 3)) { |
75 | if (num >= size) { |
76 | newSize = (num + 1 + 255) & ~255; |
77 | - if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { |
78 | + if ((newSize < 0) || (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize)) { |
79 | error(-1, "Invalid 'obj' parameters."); |
80 | return gFalse; |
81 | } |