Attachment #42170 for bug #68058

Lines 64-69 Link Here

(-)Catalog.cc.orig (+14 lines)
64	}	64	}
65	pagesSize = numPages0 = (int)obj.getNum();	65	pagesSize = numPages0 = (int)obj.getNum();
66	obj.free();	66	obj.free();
		67	// The gcc doesnt optimize this away, so this check is ok,
		68	// even if it looks like a pagesSize != pagesSize check
		69	if (pagesSizesizeof(Page )/sizeof(Page *) != pagesSize \|\|
		70	pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
		71	error(-1, "Invalid 'pagesSize'");
		72	ok = gFalse;
		73	return;
		74	}
		75
67	pages = (Page *)gmalloc(pagesSize sizeof(Page *));	76	pages = (Page *)gmalloc(pagesSize sizeof(Page *));
68	pageRefs = (Ref )gmalloc(pagesSize sizeof(Ref));	77	pageRefs = (Ref )gmalloc(pagesSize sizeof(Ref));
69	for (i = 0; i < pagesSize; ++i) {	78	for (i = 0; i < pagesSize; ++i) {
Lines 191-196 Link Here
191	}	200	}
192	if (start >= pagesSize) {	201	if (start >= pagesSize) {
193	pagesSize += 32;	202	pagesSize += 32;
		203	if (pagesSizesizeof(Page )/sizeof(Page *) != pagesSize \|\|
		204	pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
		205	error(-1, "Invalid 'pagesSize' parameter.");
		206	goto err3;
		207	}
194	pages = (Page *)grealloc(pages, pagesSize sizeof(Page *));	208	pages = (Page *)grealloc(pages, pagesSize sizeof(Page *));
195	pageRefs = (Ref )grealloc(pageRefs, pagesSize sizeof(Ref));	209	pageRefs = (Ref )grealloc(pageRefs, pagesSize sizeof(Ref));
196	for (j = pagesSize - 32; j < pagesSize; ++j) {	210	for (j = pagesSize - 32; j < pagesSize; ++j) {

Lines 96-102 Link Here

(-)XRef.cc.orig (-49 / +111 lines)
96	}	96	}
97	nObjects = obj1.getInt();	97	nObjects = obj1.getInt();
98	obj1.free();	98	obj1.free();
99	if (nObjects == 0) {	99	if (nObjects <= 0) {
100	goto err1;	100	goto err1;
101	}	101	}
102		102
Lines 106-112 Link Here
106	}	106	}
107	first = obj1.getInt();	107	first = obj1.getInt();
108	obj1.free();	108	obj1.free();
		109	if (first < 0) {
		110	goto err1;
		111	}
109		112
		113	if (nObjects*sizeof(int)/sizeof(int) != nObjects) {
		114	error(-1, "Invalid 'nObjects'");
		115	goto err1;
		116	}
		117
110	objs = new Object[nObjects];	118	objs = new Object[nObjects];
111	objNums = (int )gmalloc(nObjects sizeof(int));	119	objNums = (int )gmalloc(nObjects sizeof(int));
112	offsets = (int )gmalloc(nObjects sizeof(int));	120	offsets = (int )gmalloc(nObjects sizeof(int));
Lines 130-135 Link Here
130	offsets[i] = obj2.getInt();	138	offsets[i] = obj2.getInt();
131	obj1.free();	139	obj1.free();
132	obj2.free();	140	obj2.free();
		141	if (objNums[i] < 0 \|\| offsets[i] < 0 \|\|
		142	(i > 0 && offsets[i] < offsets[i-1])) {
		143	delete parser;
		144	gfree(offsets);
		145	goto err1;
		146	}
133	}	147	}
134	while (str->getChar() != EOF) ;	148	while (str->getChar() != EOF) ;
135	delete parser;	149	delete parser;
Lines 369-378 Link Here
369	}	383	}
370	n = obj.getInt();	384	n = obj.getInt();
371	obj.free();	385	obj.free();
		386	if (first < 0 \|\| n < 0 \|\| first + n < 0) {
		387	goto err1;
		388	}
372	if (first + n > size) {	389	if (first + n > size) {
373	for (newSize = size ? 2 * size : 1024;	390	for (newSize = size ? 2 * size : 1024;
374	first + n > newSize;	391	first + n > newSize && newSize > 0;
375	newSize <<= 1) ;	392	newSize <<= 1) ;
		393	if (newSize < 0) {
		394	goto err1;
		395	}
		396	if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
		397	error(-1, "Invalid 'obj' parameters'");
		398	goto err1;
		399	}
		400
376	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));	401	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));
377	for (i = size; i < newSize; ++i) {	402	for (i = size; i < newSize; ++i) {
378	entries[i].offset = 0xffffffff;	403	entries[i].offset = 0xffffffff;
Lines 443-449 Link Here
443		468
444	// check for an 'XRefStm' key	469	// check for an 'XRefStm' key
445	if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) {	470	if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) {
446	pos2 = obj2.getInt();	471	pos2 = (Guint)obj2.getInt();
447	readXRef(&pos2);	472	readXRef(&pos2);
448	if (!ok) {	473	if (!ok) {
449	goto err1;	474	goto err1;
Lines 474-480 Link Here
474	}	499	}
475	newSize = obj.getInt();	500	newSize = obj.getInt();
476	obj.free();	501	obj.free();
		502	if (newSize < 0) {
		503	goto err1;
		504	}
477	if (newSize > size) {	505	if (newSize > size) {
		506	if (newSize * sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
		507	error(-1, "Invalid 'size' parameter.");
		508	return gFalse;
		509	}
478	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));	510	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));
479	for (i = size; i < newSize; ++i) {	511	for (i = size; i < newSize; ++i) {
480	entries[i].offset = 0xffffffff;	512	entries[i].offset = 0xffffffff;
Lines 494-499 Link Here
494	}	526	}
495	w[i] = obj2.getInt();	527	w[i] = obj2.getInt();
496	obj2.free();	528	obj2.free();
		529	if (w[i] < 0 \|\| w[i] > 4) {
		530	goto err1;
		531	}
497	}	532	}
498	obj.free();	533	obj.free();
499		534
Lines 513-525 Link Here
513	}	548	}
514	n = obj.getInt();	549	n = obj.getInt();
515	obj.free();	550	obj.free();
516	if (!readXRefStreamSection(xrefStr, w, first, n)) {	551	if (first < 0 \|\| n < 0 \|\|
		552	!readXRefStreamSection(xrefStr, w, first, n)) {
517	idx.free();	553	idx.free();
518	goto err0;	554	goto err0;
519	}	555	}
520	}	556	}
521	} else {	557	} else {
522	if (!readXRefStreamSection(xrefStr, w, 0, size)) {	558	if (!readXRefStreamSection(xrefStr, w, 0, newSize)) {
523	idx.free();	559	idx.free();
524	goto err0;	560	goto err0;
525	}	561	}
Lines 551-560 Link Here
551	Guint offset;	587	Guint offset;
552	int type, gen, c, newSize, i, j;	588	int type, gen, c, newSize, i, j;
553		589
		590	if (first + n < 0) {
		591	return gFalse;
		592	}
554	if (first + n > size) {	593	if (first + n > size) {
555	for (newSize = size ? 2 * size : 1024;	594	for (newSize = size ? 2 * size : 1024;
556	first + n > newSize;	595	first + n > newSize && newSize > 0;
557	newSize <<= 1) ;	596	newSize <<= 1) ;
		597	if (newSize < 0) {
		598	return gFalse;
		599	}
		600	if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
		601	error(-1, "Invalid 'size' inside xref table.");
		602	return gFalse;
		603	}
558	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));	604	entries = (XRefEntry )grealloc(entries, newSize sizeof(XRefEntry));
559	for (i = size; i < newSize; ++i) {	605	for (i = size; i < newSize; ++i) {
560	entries[i].offset = 0xffffffff;	606	entries[i].offset = 0xffffffff;
Lines 585-608 Link Here
585	}	631	}
586	gen = (gen << 8) + c;	632	gen = (gen << 8) + c;
587	}	633	}
588	switch (type) {	634	if (entries[i].offset == 0xffffffff) {
589	case 0:	635	switch (type) {
590	entries[i].offset = offset;	636	case 0:
591	entries[i].gen = gen;	637	entries[i].offset = offset;
592	entries[i].type = xrefEntryFree;	638	entries[i].gen = gen;
593	break;	639	entries[i].type = xrefEntryFree;
594	case 1:	640	break;
595	entries[i].offset = offset;	641	case 1:
596	entries[i].gen = gen;	642	entries[i].offset = offset;
597	entries[i].type = xrefEntryUncompressed;	643	entries[i].gen = gen;
598	break;	644	entries[i].type = xrefEntryUncompressed;
599	case 2:	645	break;
600	entries[i].offset = offset;	646	case 2:
601	entries[i].gen = gen;	647	entries[i].offset = offset;
602	entries[i].type = xrefEntryCompressed;	648	entries[i].gen = gen;
603	break;	649	entries[i].type = xrefEntryCompressed;
604	default:	650	break;
605	return gFalse;	651	default:
		652	return gFalse;
		653	}
606	}	654	}
607	}	655	}
608		656
Lines 664-701 Link Here
664	// look for object	712	// look for object
665	} else if (isdigit(*p)) {	713	} else if (isdigit(*p)) {
666	num = atoi(p);	714	num = atoi(p);
667	do {	715	if (num > 0) {
668	++p;
669	} while (p && isdigit(p));
670	if (isspace(*p)) {
671	do {	716	do {
672	++p;	717	++p;
673	} while (p && isspace(p));	718	} while (p && isdigit(p));
674	if (isdigit(*p)) {	719	if (isspace(*p)) {
675	gen = atoi(p);
676	do {	720	do {
677	++p;	721	++p;
678	} while (p && isdigit(p));	722	} while (p && isspace(p));
679	if (isspace(*p)) {	723	if (isdigit(*p)) {
		724	gen = atoi(p);
680	do {	725	do {
681	++p;	726	++p;
682	} while (p && isspace(p));	727	} while (p && isdigit(p));
683	if (!strncmp(p, "obj", 3)) {	728	if (isspace(*p)) {
684	if (num >= size) {	729	do {
685	newSize = (num + 1 + 255) & ~255;	730	++p;
686	entries = (XRefEntry *)	731	} while (p && isspace(p));
687	grealloc(entries, newSize * sizeof(XRefEntry));	732	if (!strncmp(p, "obj", 3)) {
688	for (i = size; i < newSize; ++i) {	733	if (num >= size) {
689	entries[i].offset = 0xffffffff;	734	newSize = (num + 1 + 255) & ~255;
690	entries[i].type = xrefEntryFree;	735	if (newSize < 0) {
		736	error(-1, "Bad object number");
		737	return gFalse;
		738	}
		739	if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
		740	error(-1, "Invalid 'obj' parameters.");
		741	return gFalse;
		742	}
		743	entries = (XRefEntry *)
		744	grealloc(entries, newSize * sizeof(XRefEntry));
		745	for (i = size; i < newSize; ++i) {
		746	entries[i].offset = 0xffffffff;
		747	entries[i].type = xrefEntryFree;
		748	}
		749	size = newSize;
		750	}
		751	if (entries[num].type == xrefEntryFree \|\|
		752	gen >= entries[num].gen) {
		753	entries[num].offset = pos - start;
		754	entries[num].gen = gen;
		755	entries[num].type = xrefEntryUncompressed;
691	}	756	}
692	size = newSize;
693	}
694	if (entries[num].type == xrefEntryFree \|\|
695	gen >= entries[num].gen) {
696	entries[num].offset = pos - start;
697	entries[num].gen = gen;
698	entries[num].type = xrefEntryUncompressed;
699	}	757	}
700	}	758	}
701	}	759	}
Lines 705-710 Link Here
705	} else if (!strncmp(p, "endstream", 9)) {	763	} else if (!strncmp(p, "endstream", 9)) {
706	if (streamEndsLen == streamEndsSize) {	764	if (streamEndsLen == streamEndsSize) {
707	streamEndsSize += 64;	765	streamEndsSize += 64;
		766	if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) {
		767	error(-1, "Invalid 'endstream' parameter.");
		768	return gFalse;
		769	}
708	streamEnds = (Guint *)grealloc(streamEnds,	770	streamEnds = (Guint *)grealloc(streamEnds,
709	streamEndsSize * sizeof(int));	771	streamEndsSize * sizeof(int));
710	}	772	}

Return to bug 68058