Attachment #42122 for bug #68058

Lines 76-81 Link Here

(-)XRef.cc.orig (+19 lines)
76		76
77	// trailer is ok - read the xref table	77	// trailer is ok - read the xref table
78	} else {	78	} else {
		79	if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
		80	error(-1, "Invalid 'size' inside xref table.");
		81	ok = gFalse;
		82	errCode = errDamaged;
		83	return;
		84	}
79	entries = (XRefEntry )gmalloc(size sizeof(XRefEntry));	85	entries = (XRefEntry )gmalloc(size sizeof(XRefEntry));
80	for (i = 0; i < size; ++i) {	86	for (i = 0; i < size; ++i) {
81	entries[i].offset = 0xffffffff;	87	entries[i].offset = 0xffffffff;
Lines 267-272 Link Here
267	// table size	273	// table size
268	if (first + n > size) {	274	if (first + n > size) {
269	newSize = size + 256;	275	newSize = size + 256;
		276	if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
		277	error(-1, "Invalid 'newSize'");
		278	goto err2;
		279	}
270	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));	280	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));
271	for (i = size; i < newSize; ++i) {	281	for (i = size; i < newSize; ++i) {
272	entries[i].offset = 0xffffffff;	282	entries[i].offset = 0xffffffff;
Lines 410-415 Link Here
410	if (!strncmp(p, "obj", 3)) {	420	if (!strncmp(p, "obj", 3)) {
411	if (num >= size) {	421	if (num >= size) {
412	newSize = (num + 1 + 255) & ~255;	422	newSize = (num + 1 + 255) & ~255;
		423	if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
		424	error(-1, "Invalid 'obj' parameters.");
		425	return gFalse;
		426	}
413	entries = (XRefEntry *)	427	entries = (XRefEntry *)
414	grealloc(entries, newSize * sizeof(XRefEntry));	428	grealloc(entries, newSize * sizeof(XRefEntry));
415	for (i = size; i < newSize; ++i) {	429	for (i = size; i < newSize; ++i) {
Lines 431-436 Link Here
431	} else if (!strncmp(p, "endstream", 9)) {	445	} else if (!strncmp(p, "endstream", 9)) {
432	if (streamEndsLen == streamEndsSize) {	446	if (streamEndsLen == streamEndsSize) {
433	streamEndsSize += 64;	447	streamEndsSize += 64;
		448	if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) {
		449	error(-1, "Invalid 'endstream' parameter.");
		450	return gFalse;
		451	}
		452
434	streamEnds = (Guint *)grealloc(streamEnds,	453	streamEnds = (Guint *)grealloc(streamEnds,
435	streamEndsSize * sizeof(int));	454	streamEndsSize * sizeof(int));
436	}	455	}

Lines 63-68 Link Here

(-)Catalog.cc.orig (+10 lines)
63	}	63	}
64	pagesSize = numPages0 = obj.getInt();	64	pagesSize = numPages0 = obj.getInt();
65	obj.free();	65	obj.free();
		66	if (pagesSizesizeof(Page )/sizeof(Page *) != pagesSize \|\|
		67	pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
		68	error(-1, "Invalid 'pagesSize'");
		69	ok = gFalse;
		70	return;
		71	}
66	pages = (Page *)gmalloc(pagesSize sizeof(Page *));	72	pages = (Page *)gmalloc(pagesSize sizeof(Page *));
67	pageRefs = (Ref )gmalloc(pagesSize sizeof(Ref));	73	pageRefs = (Ref )gmalloc(pagesSize sizeof(Ref));
68	for (i = 0; i < pagesSize; ++i) {	74	for (i = 0; i < pagesSize; ++i) {
Lines 190-195 Link Here
190	}	196	}
191	if (start >= pagesSize) {	197	if (start >= pagesSize) {
192	pagesSize += 32;	198	pagesSize += 32;
		199	if (pagesSizesizeof(Page )/sizeof(Page *) != pagesSize) {
		200	error(-1, "Invalid 'pagesSize' parameter.");
		201	goto err3;
		202	}
193	pages = (Page *)grealloc(pages, pagesSize sizeof(Page *));	203	pages = (Page *)grealloc(pages, pagesSize sizeof(Page *));
194	pageRefs = (Ref )grealloc(pageRefs, pagesSize sizeof(Ref));	204	pageRefs = (Ref )grealloc(pageRefs, pagesSize sizeof(Ref));
195	for (j = pagesSize - 32; j < pagesSize; ++j) {	205	for (j = pagesSize - 32; j < pagesSize; ++j) {

Return to bug 68058