Attachment #42169 for bug #68058

Lines 76-81 Link Here

(-)XRef.cc.orig (+19 lines)
76		76
77	// trailer is ok - read the xref table	77	// trailer is ok - read the xref table
78	} else {	78	} else {
		79	if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
		80	error(-1, "Invalid 'size' inside xref table.");
		81	ok = gFalse;
		82	errCode = errDamaged;
		83	return;
		84	}
79	entries = (XRefEntry )gmalloc(size sizeof(XRefEntry));	85	entries = (XRefEntry )gmalloc(size sizeof(XRefEntry));
80	for (i = 0; i < size; ++i) {	86	for (i = 0; i < size; ++i) {
81	entries[i].offset = 0xffffffff;	87	entries[i].offset = 0xffffffff;
Lines 267-272 Link Here
267	// table size	273	// table size
268	if (first + n > size) {	274	if (first + n > size) {
269	newSize = size + 256;	275	newSize = size + 256;
		276	if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
		277	error(-1, "Invalid 'newSize'");
		278	goto err2;
		279	}
270	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));	280	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));
271	for (i = size; i < newSize; ++i) {	281	for (i = size; i < newSize; ++i) {
272	entries[i].offset = 0xffffffff;	282	entries[i].offset = 0xffffffff;
Lines 410-415 Link Here
410	if (!strncmp(p, "obj", 3)) {	420	if (!strncmp(p, "obj", 3)) {
411	if (num >= size) {	421	if (num >= size) {
412	newSize = (num + 1 + 255) & ~255;	422	newSize = (num + 1 + 255) & ~255;
		423	if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
		424	error(-1, "Invalid 'obj' parameters.");
		425	return gFalse;
		426	}
413	entries = (XRefEntry *)	427	entries = (XRefEntry *)
414	grealloc(entries, newSize * sizeof(XRefEntry));	428	grealloc(entries, newSize * sizeof(XRefEntry));
415	for (i = size; i < newSize; ++i) {	429	for (i = size; i < newSize; ++i) {
Lines 431-436 Link Here
431	} else if (!strncmp(p, "endstream", 9)) {	445	} else if (!strncmp(p, "endstream", 9)) {
432	if (streamEndsLen == streamEndsSize) {	446	if (streamEndsLen == streamEndsSize) {
433	streamEndsSize += 64;	447	streamEndsSize += 64;
		448	if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) {
		449	error(-1, "Invalid 'endstream' parameter.");
		450	return gFalse;
		451	}
		452
434	streamEnds = (Guint *)grealloc(streamEnds,	453	streamEnds = (Guint *)grealloc(streamEnds,
435	streamEndsSize * sizeof(int));	454	streamEndsSize * sizeof(int));
436	}	455	}

Lines 62-67 Link Here

(-)Catalog.cc.orig (+11 lines)
62	}	62	}
63	pagesSize = numPages0 = obj.getInt();	63	pagesSize = numPages0 = obj.getInt();
64	obj.free();	64	obj.free();
		65	if (pagesSizesizeof(Page )/sizeof(Page *) != pagesSize \|\|
		66	pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
		67	error(-1, "Invalid 'pagesSize'");
		68	ok = gFalse;
		69	return;
		70	}
65	pages = (Page *)gmalloc(pagesSize sizeof(Page *));	71	pages = (Page *)gmalloc(pagesSize sizeof(Page *));
66	pageRefs = (Ref )gmalloc(pagesSize sizeof(Ref));	72	pageRefs = (Ref )gmalloc(pagesSize sizeof(Ref));
67	for (i = 0; i < pagesSize; ++i) {	73	for (i = 0; i < pagesSize; ++i) {
Lines 186-191 Link Here
186	}	192	}
187	if (start >= pagesSize) {	193	if (start >= pagesSize) {
188	pagesSize += 32;	194	pagesSize += 32;
		195	if (pagesSizesizeof(Page )/sizeof(Page *) != pagesSize \|\|
		196	pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
		197	error(-1, "Invalid 'pagesSize' parameter.");
		198	goto err3;
		199	}
189	pages = (Page *)grealloc(pages, pagesSize sizeof(Page *));	200	pages = (Page *)grealloc(pages, pagesSize sizeof(Page *));
190	pageRefs = (Ref )grealloc(pageRefs, pagesSize sizeof(Ref));	201	pageRefs = (Ref )grealloc(pageRefs, pagesSize sizeof(Ref));
191	for (j = pagesSize - 32; j < pagesSize; ++j) {	202	for (j = pagesSize - 32; j < pagesSize; ++j) {

Return to bug 68058