e03d623234
http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities (CAN-2005-0064). Noticed by Hiroki Sato. Thanks! Bump PKGREVISION to 5.
67 lines
2 KiB
Text
67 lines
2 KiB
Text
$NetBSD: patch-ak,v 1.4 2005/01/24 15:22:16 kei Exp $
|
|
|
|
--- libs/xpdf/xpdf/XRef.cc.original 2005-01-24 23:15:21.000000000 +0900
|
|
+++ libs/xpdf/xpdf/XRef.cc 2005-01-24 23:15:57.000000000 +0900
|
|
@@ -28,6 +28,7 @@
|
|
#include "Error.h"
|
|
#include "ErrorCodes.h"
|
|
#include "XRef.h"
|
|
+#include <limits.h>
|
|
|
|
//------------------------------------------------------------------------
|
|
|
|
@@ -76,6 +77,11 @@
|
|
|
|
// trailer is ok - read the xref table
|
|
} else {
|
|
+ if ( size >= INT_MAX/sizeof(XRefEntry)) {
|
|
+ error(-1, "Invalid 'size' inside xref table.");
|
|
+ ok = gFalse;
|
|
+ return;
|
|
+ }
|
|
entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
|
|
for (i = 0; i < size; ++i) {
|
|
entries[i].offset = 0xffffffff;
|
|
@@ -267,6 +273,10 @@
|
|
// table size
|
|
if (first + n > size) {
|
|
newSize = size + 256;
|
|
+ if (newSize >= INT_MAX/sizeof(XRefEntry)) {
|
|
+ error(-1, "Invalid 'newSize'");
|
|
+ goto err2;
|
|
+ }
|
|
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
|
|
for (i = size; i < newSize; ++i) {
|
|
entries[i].offset = 0xffffffff;
|
|
@@ -410,6 +420,10 @@
|
|
if (!strncmp(p, "obj", 3)) {
|
|
if (num >= size) {
|
|
newSize = (num + 1 + 255) & ~255;
|
|
+ if (newSize >= INT_MAX / sizeof(XRefEntry)) {
|
|
+ error(-1, "Invalid 'obj' parameters.");
|
|
+ return gFalse;
|
|
+ }
|
|
entries = (XRefEntry *)
|
|
grealloc(entries, newSize * sizeof(XRefEntry));
|
|
for (i = size; i < newSize; ++i) {
|
|
@@ -431,6 +445,10 @@
|
|
} else if (!strncmp(p, "endstream", 9)) {
|
|
if (streamEndsLen == streamEndsSize) {
|
|
streamEndsSize += 64;
|
|
+ if (streamEndsSize >= INT_MAX/sizeof(int)) {
|
|
+ error(-1, "Invalid 'endstream' parameter.");
|
|
+ return gFalse;
|
|
+ }
|
|
streamEnds = (Guint *)grealloc(streamEnds,
|
|
streamEndsSize * sizeof(int));
|
|
}
|
|
@@ -481,6 +499,9 @@
|
|
} else {
|
|
keyLength = 5;
|
|
}
|
|
+ if (keyLength > 16) {
|
|
+ keyLength = 16;
|
|
+ }
|
|
permFlags = permissions.getInt();
|
|
if (encVersion >= 1 && encVersion <= 2 &&
|
|
encRevision >= 2 && encRevision <= 3) {
|