75 lines
1.8 KiB
Text
75 lines
1.8 KiB
Text
$NetBSD: patch-ai,v 1.1 2006/01/24 21:51:36 tron Exp $
|
|
|
|
--- libs/xpdf/xpdf/JBIG2Stream.cc.orig 2004-01-22 01:26:45.000000000 +0000
|
|
+++ libs/xpdf/xpdf/JBIG2Stream.cc 2006-01-24 18:51:43.000000000 +0000
|
|
@@ -7,6 +7,7 @@
|
|
//========================================================================
|
|
|
|
#include <aconf.h>
|
|
+#include <limits.h>
|
|
|
|
#ifdef USE_GCC_PRAGMAS
|
|
#pragma implementation
|
|
@@ -681,7 +682,13 @@
|
|
w = wA;
|
|
h = hA;
|
|
line = (wA + 7) >> 3;
|
|
- data = (Guchar *)gmalloc(h * line);
|
|
+
|
|
+ if (h < 0 || line <= 0 || h >= INT_MAX / line) {
|
|
+ data = NULL;
|
|
+ }
|
|
+ else {
|
|
+ data = (Guchar *)gmalloc(h * line);
|
|
+ }
|
|
}
|
|
|
|
JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
|
|
@@ -690,6 +697,12 @@
|
|
w = bitmap->w;
|
|
h = bitmap->h;
|
|
line = bitmap->line;
|
|
+
|
|
+ if (h < 0 || line <= 0 || h >= INT_MAX / line) {
|
|
+ data = NULL;
|
|
+ return;
|
|
+ }
|
|
+
|
|
data = (Guchar *)gmalloc(h * line);
|
|
memcpy(data, bitmap->data, h * line);
|
|
}
|
|
@@ -716,7 +729,7 @@
|
|
}
|
|
|
|
void JBIG2Bitmap::expand(int newH, Guint pixel) {
|
|
- if (newH <= h) {
|
|
+ if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
|
|
return;
|
|
}
|
|
data = (Guchar *)grealloc(data, newH * line);
|
|
@@ -2256,6 +2269,15 @@
|
|
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
|
|
return;
|
|
}
|
|
+ if (gridH == 0 || gridW >= INT_MAX / gridH) {
|
|
+ error(getPos(), "Bad size in JBIG2 halftone segment");
|
|
+ return;
|
|
+ }
|
|
+ if (w == 0 || h >= INT_MAX / w) {
|
|
+ error(getPos(), "Bad size in JBIG2 bitmap segment");
|
|
+ return;
|
|
+ }
|
|
+
|
|
patternDict = (JBIG2PatternDict *)seg;
|
|
bpp = 0;
|
|
i = 1;
|
|
@@ -2887,6 +2909,9 @@
|
|
JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
|
|
int x, y, pix;
|
|
|
|
+ if (w < 0 || h <= 0 || w >= INT_MAX / h)
|
|
+ return NULL;
|
|
+
|
|
bitmap = new JBIG2Bitmap(0, w, h);
|
|
bitmap->clearToZero();
|
|
|