Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 42169 Details for
Bug 68058
app-text/xpdf: Integer overflows (CAN-2004-0888, CAN-2004-0889)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
xpdf-CESA-2004-007-xpdf2-newer.diff
xpdf-CESA-2004-007-xpdf2-newer.diff (text/plain), 2.65 KB, created by
solar (RETIRED)
on 2004-10-19 08:08:51 UTC
(
hide
)
Description:
xpdf-CESA-2004-007-xpdf2-newer.diff
Filename:
MIME Type:
Creator:
solar (RETIRED)
Created:
2004-10-19 08:08:51 UTC
Size:
2.65 KB
patch
obsolete
>--- XRef.cc.orig 2004-09-17 23:54:38.000000000 -0700 >+++ XRef.cc 2004-09-25 17:59:36.000000000 -0700 >@@ -76,6 +76,12 @@ > > // trailer is ok - read the xref table > } else { >+ if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) { >+ error(-1, "Invalid 'size' inside xref table."); >+ ok = gFalse; >+ errCode = errDamaged; >+ return; >+ } > entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry)); > for (i = 0; i < size; ++i) { > entries[i].offset = 0xffffffff; >@@ -267,6 +273,10 @@ > // table size > if (first + n > size) { > newSize = size + 256; >+ if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { >+ error(-1, "Invalid 'newSize'"); >+ goto err2; >+ } > entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); > for (i = size; i < newSize; ++i) { > entries[i].offset = 0xffffffff; >@@ -410,6 +420,10 @@ > if (!strncmp(p, "obj", 3)) { > if (num >= size) { > newSize = (num + 1 + 255) & ~255; >+ if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { >+ error(-1, "Invalid 'obj' parameters."); >+ return gFalse; >+ } > entries = (XRefEntry *) > grealloc(entries, newSize * sizeof(XRefEntry)); > for (i = size; i < newSize; ++i) { >@@ -431,6 +445,11 @@ > } else if (!strncmp(p, "endstream", 9)) { > if (streamEndsLen == streamEndsSize) { > streamEndsSize += 64; >+ if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) { >+ error(-1, "Invalid 'endstream' parameter."); >+ return gFalse; >+ } >+ > streamEnds = (Guint *)grealloc(streamEnds, > streamEndsSize * sizeof(int)); > } >--- Catalog.cc.orig 2004-10-18 16:26:39.388666476 +0200 >+++ Catalog.cc 2004-10-18 16:27:28.004749073 +0200 >@@ -62,6 +62,12 @@ > } > pagesSize = numPages0 = obj.getInt(); > obj.free(); >+ if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || >+ pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { >+ error(-1, "Invalid 'pagesSize'"); >+ ok = gFalse; >+ return; >+ } > pages = (Page **)gmalloc(pagesSize * sizeof(Page *)); > pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref)); > for (i = 0; i < pagesSize; ++i) { >@@ -186,6 +192,11 @@ > } > if (start >= pagesSize) { > pagesSize += 32; >+ if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || >+ pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { >+ error(-1, "Invalid 'pagesSize' parameter."); >+ goto err3; >+ } > pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *)); > pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref)); > for (j = pagesSize - 32; j < pagesSize; ++j) {
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 68058
:
42122
|
42123
| 42169 |
42170
|
42242