Contents of /trunk/xpdf/patches/xpdf-3.02pl1.patch
Parent Directory | Revision Log
Revision 287 -
(show annotations)
(download)
Fri Aug 3 16:55:13 2007 UTC (17 years, 1 month ago) by niro
File size: 1050 byte(s)
Fri Aug 3 16:55:13 2007 UTC (17 years, 1 month ago) by niro
File size: 1050 byte(s)
-security update CVE-2007-3387
1 | *** xpdf-3.02.orig/xpdf/Stream.cc Tue Feb 27 14:05:52 2007 |
2 | --- xpdf-3.02/xpdf/Stream.cc Thu Jul 26 14:44:43 2007 |
3 | *************** |
4 | *** 410,424 **** |
5 | ok = gFalse; |
6 | |
7 | nVals = width * nComps; |
8 | - if (width <= 0 || nComps <= 0 || nBits <= 0 || |
9 | - nComps >= INT_MAX / nBits || |
10 | - width >= INT_MAX / nComps / nBits || |
11 | - nVals * nBits + 7 < 0) { |
12 | - return; |
13 | - } |
14 | pixBytes = (nComps * nBits + 7) >> 3; |
15 | rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; |
16 | ! if (rowBytes <= 0) { |
17 | return; |
18 | } |
19 | predLine = (Guchar *)gmalloc(rowBytes); |
20 | --- 410,422 ---- |
21 | ok = gFalse; |
22 | |
23 | nVals = width * nComps; |
24 | pixBytes = (nComps * nBits + 7) >> 3; |
25 | rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; |
26 | ! if (width <= 0 || nComps <= 0 || nBits <= 0 || |
27 | ! nComps > gfxColorMaxComps || |
28 | ! nBits > 16 || |
29 | ! width >= INT_MAX / nComps || // check for overflow in nVals |
30 | ! nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes |
31 | return; |
32 | } |
33 | predLine = (Guchar *)gmalloc(rowBytes); |