Attachment #76071 for bug #117481




//========================================================================

#include <aconf.h>
#include <limits.h>

#ifdef USE_GCC_PRAGMAS
#pragma implementation

  int segType;
  GBool haveSIZ, haveCOD, haveQCD, haveSOT;
  Guint precinctSize, style;
  Guint segLen, capabilities, nTiles, comp, i, j, r;

  //----- main header
  haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;

	            / img.xTileSize;
      img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
	            / img.yTileSize;
      // check for overflow before allocating memory
      if (img.nXTiles <= 0 || img.nYTiles <= 0 || 
              img.nXTiles >= INT_MAX/img.nYTiles) {
          error(getPos(), "Bad tile count in JPX SIZ marker segment");
          return gFalse;
      }
      nTiles = img.nXTiles * img.nYTiles;
      if (nTiles >= INT_MAX/sizeof(JPXTile)) {
	error(getPos(), "Bad tile count in JPX SIZ marker segment");
	return gFalse;
      }
      img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));

      for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
	img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
							sizeof(JPXTileComp));

Lines 233-238 public: Link Here

(-)xpdf-3.00/xpdf/Stream.h (+3 lines)
233		233
234	~StreamPredictor();	234	~StreamPredictor();
235		235
		236	GBool isOk() { return ok; }
		237
236	int lookChar();	238	int lookChar();
237	int getChar();	239	int getChar();
238		240
Lines 250-255 private: Link Here
250	int rowBytes; // bytes per line	252	int rowBytes; // bytes per line
251	Guchar *predLine; // line buffer	253	Guchar *predLine; // line buffer
252	int predIdx; // current index in predLine	254	int predIdx; // current index in predLine
		255	GBool ok;
253	};	256	};
254		257
255	//------------------------------------------------------------------------	258	//------------------------------------------------------------------------

Lines 15-20 Link Here

(-)xpdf-3.00/xpdf/Stream.cc (-2 / +47 lines)
15	#include <stdio.h>	15	#include <stdio.h>
16	#include <stdlib.h>	16	#include <stdlib.h>
17	#include <stddef.h>	17	#include <stddef.h>
		18	#include <limits.h>
18	#ifndef WIN32	19	#ifndef WIN32
19	#include <unistd.h>	20	#include <unistd.h>
20	#endif	21	#endif
Lines 412-424 StreamPredictor::StreamPredictor(Stream Link Here
412	width = widthA;	413	width = widthA;
413	nComps = nCompsA;	414	nComps = nCompsA;
414	nBits = nBitsA;	415	nBits = nBitsA;
		416	predLine = NULL;
		417	ok = gFalse;
415		418
		419	if (width <= 0 \|\| nComps <= 0 \|\| nBits <= 0 \|\|
		420	nComps >= INT_MAX/nBits \|\|
		421	width >= INT_MAX/nComps/nBits) {
		422	return;
		423	}
416	nVals = width * nComps;	424	nVals = width * nComps;
		425	if (nVals * nBits + 7 <= 0) {
		426	return;
		427	}
417	pixBytes = (nComps * nBits + 7) >> 3;	428	pixBytes = (nComps * nBits + 7) >> 3;
418	rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;	429	rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
		430	if (rowBytes < 0) {
		431	return;
		432	}
419	predLine = (Guchar *)gmalloc(rowBytes);	433	predLine = (Guchar *)gmalloc(rowBytes);
420	memset(predLine, 0, rowBytes);	434	memset(predLine, 0, rowBytes);
421	predIdx = rowBytes;	435	predIdx = rowBytes;
		436
		437	ok = gTrue;
422	}	438	}
423		439
424	StreamPredictor::~StreamPredictor() {	440	StreamPredictor::~StreamPredictor() {
Lines 1012-1017 LZWStream::LZWStream(Stream *strA, int p Link Here
1012	FilterStream(strA) {	1028	FilterStream(strA) {
1013	if (predictor != 1) {	1029	if (predictor != 1) {
1014	pred = new StreamPredictor(this, predictor, columns, colors, bits);	1030	pred = new StreamPredictor(this, predictor, columns, colors, bits);
		1031	if (!pred->isOk()) {
		1032	delete pred;
		1033	pred = NULL;
		1034	}
1015	} else {	1035	} else {
1016	pred = NULL;	1036	pred = NULL;
1017	}	1037	}
Lines 1260-1265 CCITTFaxStream::CCITTFaxStream(Stream *s Link Here
1260	endOfLine = endOfLineA;	1280	endOfLine = endOfLineA;
1261	byteAlign = byteAlignA;	1281	byteAlign = byteAlignA;
1262	columns = columnsA;	1282	columns = columnsA;
		1283	if (columns < 1 \|\| columns >= INT_MAX / sizeof(short)) {
		1284	error(-1, "invalid number of columns: %d", columns);
		1285	exit(1);
		1286	}
1263	rows = rowsA;	1287	rows = rowsA;
1264	endOfBlock = endOfBlockA;	1288	endOfBlock = endOfBlockA;
1265	black = blackA;	1289	black = blackA;
Lines 2897-2902 GBool DCTStream::readBaselineSOF() { Link Here
2897	height = read16();	2921	height = read16();
2898	width = read16();	2922	width = read16();
2899	numComps = str->getChar();	2923	numComps = str->getChar();
		2924	if (numComps <= 0 \|\| numComps > 4) {
		2925	numComps = 0;
		2926	error(getPos(), "Bad number of components in DCT stream");
		2927	return gFalse;
		2928	}
2900	if (prec != 8) {	2929	if (prec != 8) {
2901	error(getPos(), "Bad DCT precision %d", prec);	2930	error(getPos(), "Bad DCT precision %d", prec);
2902	return gFalse;	2931	return gFalse;
Lines 2923-2928 GBool DCTStream::readProgressiveSOF() { Link Here
2923	height = read16();	2952	height = read16();
2924	width = read16();	2953	width = read16();
2925	numComps = str->getChar();	2954	numComps = str->getChar();
		2955	if (numComps <= 0 \|\| numComps > 4) {
		2956	numComps = 0;
		2957	error(getPos(), "Bad number of components in DCT stream");
		2958	return gFalse;
		2959	}
2926	if (prec != 8) {	2960	if (prec != 8) {
2927	error(getPos(), "Bad DCT precision %d", prec);	2961	error(getPos(), "Bad DCT precision %d", prec);
2928	return gFalse;	2962	return gFalse;
Lines 2945-2950 GBool DCTStream::readScanInfo() { Link Here
2945		2979
2946	length = read16() - 2;	2980	length = read16() - 2;
2947	scanInfo.numComps = str->getChar();	2981	scanInfo.numComps = str->getChar();
		2982	if (scanInfo.numComps <= 0 \|\| scanInfo.numComps > 4) {
		2983	scanInfo.numComps = 0;
		2984	error(getPos(), "Bad number of components in DCT stream");
		2985	return gFalse;
		2986	}
2948	--length;	2987	--length;
2949	if (length != 2 * scanInfo.numComps + 3) {	2988	if (length != 2 * scanInfo.numComps + 3) {
2950	error(getPos(), "Bad DCT scan info block");	2989	error(getPos(), "Bad DCT scan info block");
Lines 3019-3030 GBool DCTStream::readHuffmanTables() { Link Here
3019	while (length > 0) {	3058	while (length > 0) {
3020	index = str->getChar();	3059	index = str->getChar();
3021	--length;	3060	--length;
3022	if ((index & 0x0f) >= 4) {	3061	if ((index & ~0x10) >= 4 \|\| (index & ~0x10) < 0) {
3023	error(getPos(), "Bad DCT Huffman table");	3062	error(getPos(), "Bad DCT Huffman table");
3024	return gFalse;	3063	return gFalse;
3025	}	3064	}
3026	if (index & 0x10) {	3065	if (index & 0x10) {
3027	index &= 0x0f;	3066	index &= 0x03;
3028	if (index >= numACHuffTables)	3067	if (index >= numACHuffTables)
3029	numACHuffTables = index+1;	3068	numACHuffTables = index+1;
3030	tbl = &acHuffTables[index];	3069	tbl = &acHuffTables[index];
Lines 3142-3150 int DCTStream::readMarker() { Link Here
3142	do {	3181	do {
3143	do {	3182	do {
3144	c = str->getChar();	3183	c = str->getChar();
		3184	if(c == EOF) return EOF;
3145	} while (c != 0xff);	3185	} while (c != 0xff);
3146	do {	3186	do {
3147	c = str->getChar();	3187	c = str->getChar();
		3188	if(c == EOF) return EOF;
3148	} while (c == 0xff);	3189	} while (c == 0xff);
3149	} while (c == 0x00);	3190	} while (c == 0x00);
3150	return c;	3191	return c;
Lines 3255-3260 FlateStream::FlateStream(Stream *strA, i Link Here
3255	FilterStream(strA) {	3296	FilterStream(strA) {
3256	if (predictor != 1) {	3297	if (predictor != 1) {
3257	pred = new StreamPredictor(this, predictor, columns, colors, bits);	3298	pred = new StreamPredictor(this, predictor, columns, colors, bits);
		3299	if (!pred->isOk()) {
		3300	delete pred;
		3301	pred = NULL;
		3302	}
3258	} else {	3303	} else {
3259	pred = NULL;	3304	pred = NULL;
3260	}	3305	}

Lines 7-12 Link Here

(-)xpdf-3.00/xpdf/JBIG2Stream.cc (-4 / +41 lines)
7	//========================================================================	7	//========================================================================
8		8
9	#include <aconf.h>	9	#include <aconf.h>
		10	#include <limits.h>
10		11
11	#ifdef USE_GCC_PRAGMAS	12	#ifdef USE_GCC_PRAGMAS
12	#pragma implementation	13	#pragma implementation
Lines 681-687 JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, Link Here
681	w = wA;	682	w = wA;
682	h = hA;	683	h = hA;
683	line = (wA + 7) >> 3;	684	line = (wA + 7) >> 3;
684	data = (Guchar )gmalloc(h line);	685
		686	if (h < 0 \|\| line <= 0 \|\| h >= (INT_MAX - 1) / line) {
		687	error(-1, "invalid width/height");
		688	data = NULL;
		689	return;
		690	}
		691
		692	// need to allocate one extra guard byte for use in combine()
		693	data = (Guchar )gmalloc(h line + 1);
		694	data[h * line] = 0;
685	}	695	}
686		696
687	JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):	697	JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
Lines 690-697 JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, Link Here
690	w = bitmap->w;	700	w = bitmap->w;
691	h = bitmap->h;	701	h = bitmap->h;
692	line = bitmap->line;	702	line = bitmap->line;
693	data = (Guchar )gmalloc(h line);	703
		704	if (h < 0 \|\| line <= 0 \|\| h >= (INT_MAX - 1) / line) {
		705	error(-1, "invalid width/height");
		706	data = NULL;
		707	return;
		708	}
		709
		710	// need to allocate one extra guard byte for use in combine()
		711	data = (Guchar )gmalloc(h line + 1);
694	memcpy(data, bitmap->data, h * line);	712	memcpy(data, bitmap->data, h * line);
		713	data[h * line] = 0;
695	}	714	}
696		715
697	JBIG2Bitmap::~JBIG2Bitmap() {	716	JBIG2Bitmap::~JBIG2Bitmap() {
Lines 716-725 JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint Link Here
716	}	735	}
717		736
718	void JBIG2Bitmap::expand(int newH, Guint pixel) {	737	void JBIG2Bitmap::expand(int newH, Guint pixel) {
719	if (newH <= h) {	738	if (newH <= h \|\| line <= 0 \|\| newH >= (INT_MAX - 1) / line) {
		739	error(-1, "invalid width/height");
		740	gfree(data);
		741	data = NULL;
720	return;	742	return;
721	}	743	}
722	data = (Guchar )grealloc(data, newH line);	744	// need to allocate one extra guard byte for use in combine()
		745	data = (Guchar )grealloc(data, newH line + 1);
723	if (pixel) {	746	if (pixel) {
724	memset(data + h * line, 0xff, (newH - h) * line);	747	memset(data + h * line, 0xff, (newH - h) * line);
725	} else {	748	} else {
Lines 2256-2261 void JBIG2Stream::readHalftoneRegionSeg( Link Here
2256	error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");	2279	error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
2257	return;	2280	return;
2258	}	2281	}
		2282	if (gridH == 0 \|\| gridW >= INT_MAX / gridH) {
		2283	error(getPos(), "Bad size in JBIG2 halftone segment");
		2284	return;
		2285	}
		2286	if (w == 0 \|\| h >= INT_MAX / w) {
		2287	error(getPos(), "Bad size in JBIG2 bitmap segment");
		2288	return;
		2289	}
		2290
2259	patternDict = (JBIG2PatternDict *)seg;	2291	patternDict = (JBIG2PatternDict *)seg;
2260	bpp = 0;	2292	bpp = 0;
2261	i = 1;	2293	i = 1;
Lines 2887-2892 JBIG2Bitmap *JBIG2Stream::readGenericRef Link Here
2887	JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;	2919	JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
2888	int x, y, pix;	2920	int x, y, pix;
2889		2921
		2922	if (w < 0 \|\| h <= 0 \|\| w >= INT_MAX / h) {
		2923	error(-1, "invalid width/height");
		2924	return NULL;
		2925	}
		2926
2890	bitmap = new JBIG2Bitmap(0, w, h);	2927	bitmap = new JBIG2Bitmap(0, w, h);
2891	bitmap->clearToZero();	2928	bitmap->clearToZero();
2892		2929

Return to bug 117481

Lines 7-12 Link Here

(-)xpdf-3.00/xpdf/JPXStream.cc (-3 / +15 lines)
7	//========================================================================	7	//========================================================================
8		8
9	#include <aconf.h>	9	#include <aconf.h>
		10	#include <limits.h>
10		11
11	#ifdef USE_GCC_PRAGMAS	12	#ifdef USE_GCC_PRAGMAS
12	#pragma implementation	13	#pragma implementation
Lines 666-672 GBool JPXStream::readCodestream(Guint le Link Here
666	int segType;	667	int segType;
667	GBool haveSIZ, haveCOD, haveQCD, haveSOT;	668	GBool haveSIZ, haveCOD, haveQCD, haveSOT;
668	Guint precinctSize, style;	669	Guint precinctSize, style;
669	Guint segLen, capabilities, comp, i, j, r;	670	Guint segLen, capabilities, nTiles, comp, i, j, r;
670		671
671	//----- main header	672	//----- main header
672	haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;	673	haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
Lines 701-708 GBool JPXStream::readCodestream(Guint le Link Here
701	/ img.xTileSize;	702	/ img.xTileSize;
702	img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)	703	img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
703	/ img.yTileSize;	704	/ img.yTileSize;
704	img.tiles = (JPXTile )gmalloc(img.nXTiles img.nYTiles *	705	// check for overflow before allocating memory
705	sizeof(JPXTile));	706	if (img.nXTiles <= 0 \|\| img.nYTiles <= 0 \|\|
		707	img.nXTiles >= INT_MAX/img.nYTiles) {
		708	error(getPos(), "Bad tile count in JPX SIZ marker segment");
		709	return gFalse;
		710	}
		711	nTiles = img.nXTiles * img.nYTiles;
		712	if (nTiles >= INT_MAX/sizeof(JPXTile)) {
		713	error(getPos(), "Bad tile count in JPX SIZ marker segment");
		714	return gFalse;
		715	}
		716	img.tiles = (JPXTile )gmalloc(nTiles sizeof(JPXTile));
		717
706	for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {	718	for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
707	img.tiles[i].tileComps = (JPXTileComp )gmalloc(img.nComps	719	img.tiles[i].tileComps = (JPXTileComp )gmalloc(img.nComps
708	sizeof(JPXTileComp));	720	sizeof(JPXTileComp));