Annotation of /trunk/poppler/patches/poppler-0.5.4-CVE-2007-3387.patch
Parent Directory
| 
Revision Log
Revision 287 -
(hide annotations)
(download)
Fri Aug 3 16:55:13 2007 UTC (16 years, 9 months ago) by niro
File size: 1029 byte(s)
Fri Aug 3 16:55:13 2007 UTC (16 years, 9 months ago) by niro
File size: 1029 byte(s)
-security update CVE-2007-3387
| 1 | niro | 287 | diff -Naur poppler-0.5.4/poppler/Stream.cc poppler-0.5.4-fixed/poppler/Stream.cc |
| 2 | --- poppler-0.5.4/poppler/Stream.cc 2006-07-28 20:07:41.000000000 +0200 | ||
| 3 | +++ poppler-0.5.4-fixed/poppler/Stream.cc 2007-08-03 18:53:08.000000000 +0200 | ||
| 4 | @@ -422,12 +422,6 @@ | ||
| 5 | ok = gFalse; | ||
| 6 | |||
| 7 | nVals = width * nComps; | ||
| 8 | - if (width <= 0 || nComps <= 0 || nBits <= 0 || | ||
| 9 | - nComps >= INT_MAX/nBits || | ||
| 10 | - width >= INT_MAX/nComps/nBits || | ||
| 11 | - nVals * nBits + 7 < 0) { | ||
| 12 | - return; | ||
| 13 | - } | ||
| 14 | totalBits = nVals * nBits; | ||
| 15 | if (totalBits == 0 || | ||
| 16 | (totalBits / nBits) / nComps != width || | ||
| 17 | @@ -436,7 +430,11 @@ | ||
| 18 | } | ||
| 19 | pixBytes = (nComps * nBits + 7) >> 3; | ||
| 20 | rowBytes = ((totalBits + 7) >> 3) + pixBytes; | ||
| 21 | - if (rowBytes < 0) { | ||
| 22 | + if (width <= 0 || nComps <= 0 || nBits <= 0 || | ||
| 23 | + nComps > gfxColorMaxComps || | ||
| 24 | + nBits > 16 || | ||
| 25 | + width >= INT_MAX / nComps || // check for overflow in nVals | ||
| 26 | + nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes | ||
| 27 | return; | ||
| 28 | } | ||
| 29 | predLine = (Guchar *)gmalloc(rowBytes); |