38 lines
1.4 KiB
Text
38 lines
1.4 KiB
Text
$NetBSD: patch-ag,v 1.1 2006/01/24 21:51:36 tron Exp $
|
|
|
|
--- libs/xpdf/xpdf/JPXStream.cc.orig 2004-01-22 01:26:45.000000000 +0000
|
|
+++ libs/xpdf/xpdf/JPXStream.cc 2006-01-24 18:32:17.000000000 +0000
|
|
@@ -7,6 +7,7 @@
|
|
//========================================================================
|
|
|
|
#include <aconf.h>
|
|
+#include <limits.h>
|
|
|
|
#ifdef USE_GCC_PRAGMAS
|
|
#pragma implementation
|
|
@@ -666,7 +667,7 @@
|
|
int segType;
|
|
GBool haveSIZ, haveCOD, haveQCD, haveSOT;
|
|
Guint precinctSize, style;
|
|
- Guint segLen, capabilities, comp, i, j, r;
|
|
+ Guint segLen, capabilities, nTiles, comp, i, j, r;
|
|
|
|
//----- main header
|
|
haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
|
|
@@ -701,8 +702,14 @@
|
|
/ img.xTileSize;
|
|
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
|
|
/ img.yTileSize;
|
|
- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
|
|
- sizeof(JPXTile));
|
|
+ // check for overflow before allocating memory
|
|
+ if (img.nXTiles <= 0 || img.nYTiles <= 0 ||
|
|
+ img.nXTiles >= INT_MAX/img.nYTiles) {
|
|
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
|
|
+ return gFalse;
|
|
+ }
|
|
+ nTiles = img.nXTiles * img.nYTiles;
|
|
+ img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
|
|
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
|
|
img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
|
|
sizeof(JPXTileComp));
|