diff -Nurp ghostscript-8.64/jbig2dec/jbig2_generic.c ghostscript-8.64.new/jbig2dec/jbig2_generic.c --- ghostscript-8.64/jbig2dec/jbig2_generic.c 2007-10-25 18:14:22.000000000 -0400 +++ ghostscript-8.64.new/jbig2dec/jbig2_generic.c 2009-06-11 21:01:53.529809021 -0400 @@ -599,6 +599,9 @@ jbig2_immediate_generic_region(Jbig2Ctx memcpy (params.gbat, gbat, gbat_bytes); image = jbig2_image_new(ctx, rsi.width, rsi.height); + if (image == NULL) + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, + "invalid image"); jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "allocated %d x %d image buffer for region decode results", rsi.width, rsi.height); diff -Nurp ghostscript-8.64/jbig2dec/jbig2.h ghostscript-8.64.new/jbig2dec/jbig2.h --- ghostscript-8.64/jbig2dec/jbig2.h 2007-06-05 18:23:38.000000000 -0400 +++ ghostscript-8.64.new/jbig2dec/jbig2.h 2009-06-11 21:01:53.429837021 -0400 @@ -59,7 +59,7 @@ struct _Jbig2Image { int refcount; }; -Jbig2Image* jbig2_image_new(Jbig2Ctx *ctx, int width, int height); +Jbig2Image* jbig2_image_new(Jbig2Ctx *ctx, unsigned long width, unsigned long height); Jbig2Image* jbig2_image_clone(Jbig2Ctx *ctx, Jbig2Image *image); void jbig2_image_release(Jbig2Ctx *ctx, Jbig2Image *image); void jbig2_image_free(Jbig2Ctx *ctx, Jbig2Image *image); diff -Nurp ghostscript-8.64/jbig2dec/jbig2_image.c ghostscript-8.64.new/jbig2dec/jbig2_image.c --- ghostscript-8.64/jbig2dec/jbig2_image.c 2007-06-05 18:23:38.000000000 -0400 +++ ghostscript-8.64.new/jbig2dec/jbig2_image.c 2009-06-11 21:01:53.577840934 -0400 @@ -24,6 +24,7 @@ #include #include #include /* memcpy() */ +#include /* INT_MAX */ #include "jbig2.h" #include "jbig2_priv.h" @@ -31,10 +32,17 @@ /* allocate a Jbig2Image structure and its associated bitmap */ -Jbig2Image* jbig2_image_new(Jbig2Ctx *ctx, int width, int height) +Jbig2Image* jbig2_image_new(Jbig2Ctx *ctx, unsigned long width, unsigned long height) { Jbig2Image *image; - int stride; + unsigned long stride; + + if (width == 0 || height == 0 || width > INT_MAX || height > INT_MAX) { + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, + "invalid image dimensions! [%lux%lu]\n", width, height); + jbig2_free(ctx->allocator, image); + return NULL; + } image = (Jbig2Image *)jbig2_alloc(ctx->allocator, sizeof(*image)); if (image == NULL) { @@ -47,14 +55,14 @@ Jbig2Image* jbig2_image_new(Jbig2Ctx *ct image->data = (uint8_t *)jbig2_alloc(ctx->allocator, stride*height); if (image->data == NULL) { jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, - "could not allocate image data buffer! [%d bytes]\n", stride*height); + "could not allocate image data buffer! [%lu bytes]\n", stride*height); jbig2_free(ctx->allocator, image); return NULL; } - image->width = width; - image->height = height; - image->stride = stride; + image->width = (int) width; + image->height = (int) height; + image->stride = (int) stride; image->refcount = 1; return image; diff -Nurp ghostscript-8.64/jbig2dec/jbig2_refinement.c ghostscript-8.64.new/jbig2dec/jbig2_refinement.c --- ghostscript-8.64/jbig2dec/jbig2_refinement.c 2007-10-25 18:14:22.000000000 -0400 +++ ghostscript-8.64.new/jbig2dec/jbig2_refinement.c 2009-06-11 21:01:53.689835967 -0400 @@ -407,7 +407,7 @@ jbig2_refinement_region(Jbig2Ctx *ctx, J image = jbig2_image_new(ctx, rsi.width, rsi.height); if (image == NULL) return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, - "unable to allocate image storage"); + "unable to allocate image storage"); jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "allocated %d x %d image buffer for region decode results", rsi.width, rsi.height); diff -Nurp ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c ghostscript-8.64.new/jbig2dec/jbig2_symbol_dict.c --- ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c 2007-12-11 03:29:58.000000000 -0500 +++ ghostscript-8.64.new/jbig2dec/jbig2_symbol_dict.c 2009-06-11 21:01:53.710811788 -0400 @@ -370,6 +370,12 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, memcpy(region_params.gbat, params->sdat, sdat_bytes); image = jbig2_image_new(ctx, SYMWIDTH, HCHEIGHT); + if (image == NULL) { + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, + "unable to allocate image storage"); + /* todo: memory cleanup */ + return NULL; + } code = jbig2_decode_generic_region(ctx, segment, ®ion_params, as, image, GB_stats); @@ -520,6 +526,12 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, ID, RDX, RDY); image = jbig2_image_new(ctx, SYMWIDTH, HCHEIGHT); + if (image == NULL) { + code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, + "Out of memory creating symbol image"); + /* todo: memory cleanup */ + return NULL; + } /* Table 18 */ rparams.GRTEMPLATE = params->SDRTEMPLATE; @@ -638,6 +650,13 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, for (j = HCFIRSTSYM; j < NSYMSDECODED; j++) { Jbig2Image *glyph; glyph = jbig2_image_new(ctx, SDNEWSYMWIDTHS[j], HCHEIGHT); + if (glyph == NULL) { + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, + "unable to allocate image storage"); + /* todo: memory cleanup */ + return NULL; + } + jbig2_image_compose(ctx, glyph, image, -x, 0, JBIG2_COMPOSE_REPLACE); x += SDNEWSYMWIDTHS[j]; diff -Nurp ghostscript-8.64/jbig2dec/jbig2_text.c ghostscript-8.64.new/jbig2dec/jbig2_text.c --- ghostscript-8.64/jbig2dec/jbig2_text.c 2008-05-09 10:00:44.000000000 -0400 +++ ghostscript-8.64.new/jbig2dec/jbig2_text.c 2009-06-11 21:01:53.729836629 -0400 @@ -315,6 +315,12 @@ jbig2_decode_text_region(Jbig2Ctx *ctx, IBO = IB; image = jbig2_image_new(ctx, IBO->width + RDW, IBO->height + RDH); + if (image == NULL) { + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, + "unable to allocate image storage"); + /* todo: memory cleanup */ + return -1; + } /* Table 12 */ rparams.GRTEMPLATE = params->SBRTEMPLATE; @@ -676,6 +682,12 @@ jbig2_parse_text_region(Jbig2Ctx *ctx, J } image = jbig2_image_new(ctx, region_info.width, region_info.height); + if (image == NULL) { + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, + "unable to allocate image storage"); + /* todo: memory cleanup */ + return -1; + } ws = jbig2_word_stream_buf_new(ctx, segment_data + offset, segment->data_length - offset); if (!params.SBHUFF) {