Attachment #74937 for bug #115851

Lines 7-12 Link Here

(-)kpdf/xpdf/xpdf/JBIG2Stream.cc (-1 / +33 lines)
7	//========================================================================	7	//========================================================================
8		8
9	#include <aconf.h>	9	#include <aconf.h>
		10	#include <limits.h>
10		11
11	#ifdef USE_GCC_PRAGMAS	12	#ifdef USE_GCC_PRAGMAS
12	#pragma implementation	13	#pragma implementation
Lines 681-686 JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, Link Here
681	w = wA;	682	w = wA;
682	h = hA;	683	h = hA;
683	line = (wA + 7) >> 3;	684	line = (wA + 7) >> 3;
		685
		686	if (h < 0 \|\| line <= 0 \|\| h >= INT_MAX / line) {
		687	error(-1, "invalid width/height");
		688	data = NULL;
		689	return;
		690	}
		691
684	data = (Guchar )gmalloc(h line);	692	data = (Guchar )gmalloc(h line);
685	}	693	}
686		694
Lines 690-695 JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, Link Here
690	w = bitmap->w;	698	w = bitmap->w;
691	h = bitmap->h;	699	h = bitmap->h;
692	line = bitmap->line;	700	line = bitmap->line;
		701
		702	if (h < 0 \|\| line <= 0 \|\| h >= INT_MAX / line) {
		703	error(-1, "invalid width/height");
		704	data = NULL;
		705	return;
		706	}
		707
693	data = (Guchar )gmalloc(h line);	708	data = (Guchar )gmalloc(h line);
694	memcpy(data, bitmap->data, h * line);	709	memcpy(data, bitmap->data, h * line);
695	}	710	}
Lines 716-722 JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint Link Here
716	}	731	}
717		732
718	void JBIG2Bitmap::expand(int newH, Guint pixel) {	733	void JBIG2Bitmap::expand(int newH, Guint pixel) {
719	if (newH <= h) {	734	if (newH <= h \|\| line <= 0 \|\| newH >= INT_MAX / line) {
		735	error(-1, "invalid width/height");
		736	gfree(data);
		737	data = NULL;
720	return;	738	return;
721	}	739	}
722	data = (Guchar )grealloc(data, newH line);	740	data = (Guchar )grealloc(data, newH line);
Lines 2256-2261 void JBIG2Stream::readHalftoneRegionSeg( Link Here
2256	error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");	2274	error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
2257	return;	2275	return;
2258	}	2276	}
		2277	if (gridH == 0 \|\| gridW >= INT_MAX / gridH) {
		2278	error(getPos(), "Bad size in JBIG2 halftone segment");
		2279	return;
		2280	}
		2281	if (w == 0 \|\| h >= INT_MAX / w) {
		2282	error(getPos(), "Bad size in JBIG2 bitmap segment");
		2283	return;
		2284	}
		2285
2259	patternDict = (JBIG2PatternDict *)seg;	2286	patternDict = (JBIG2PatternDict *)seg;
2260	bpp = 0;	2287	bpp = 0;
2261	i = 1;	2288	i = 1;
Lines 2887-2892 JBIG2Bitmap *JBIG2Stream::readGenericRef Link Here
2887	JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;	2914	JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
2888	int x, y, pix;	2915	int x, y, pix;
2889		2916
		2917	if (w < 0 \|\| h <= 0 \|\| w >= INT_MAX / h) {
		2918	error(-1, "invalid width/height");
		2919	return NULL;
		2920	}
		2921
2890	bitmap = new JBIG2Bitmap(0, w, h);	2922	bitmap = new JBIG2Bitmap(0, w, h);
2891	bitmap->clearToZero();	2923	bitmap->clearToZero();
2892		2924

Lines 15-20 Link Here

(-)kpdf/xpdf/xpdf/Stream.cc (-2 / +46 lines)
15	#include <stdio.h>	15	#include <stdio.h>
16	#include <stdlib.h>	16	#include <stdlib.h>
17	#include <stddef.h>	17	#include <stddef.h>
		18	#include <limits.h>
18	#ifndef WIN32	19	#ifndef WIN32
19	#include <unistd.h>	20	#include <unistd.h>
20	#endif	21	#endif
Lines 413-425 StreamPredictor::StreamPredictor(Stream Link Here
413	width = widthA;	414	width = widthA;
414	nComps = nCompsA;	415	nComps = nCompsA;
415	nBits = nBitsA;	416	nBits = nBitsA;
		417	predLine = NULL;
		418	ok = gFalse;
		419
		420	if (width <= 0 \|\| nComps <= 0 \|\| nBits <= 0 \|\|
		421	nComps >= INT_MAX / nBits \|\|
		422	width >= INT_MAX / nComps / nBits)
		423	return;
416		424
417	nVals = width * nComps;	425	nVals = width * nComps;
		426	if (nVals * nBits + 7 <= 0)
		427	return;
418	pixBytes = (nComps * nBits + 7) >> 3;	428	pixBytes = (nComps * nBits + 7) >> 3;
419	rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;	429	rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
		430	if (rowBytes < 0)
		431	return;
		432
420	predLine = (Guchar *)gmalloc(rowBytes);	433	predLine = (Guchar *)gmalloc(rowBytes);
421	memset(predLine, 0, rowBytes);	434	memset(predLine, 0, rowBytes);
422	predIdx = rowBytes;	435	predIdx = rowBytes;
		436
		437	ok = gTrue;
423	}	438	}
424		439
425	StreamPredictor::~StreamPredictor() {	440	StreamPredictor::~StreamPredictor() {
Lines 1013-1018 LZWStream::LZWStream(Stream *strA, int p Link Here
1013	FilterStream(strA) {	1028	FilterStream(strA) {
1014	if (predictor != 1) {	1029	if (predictor != 1) {
1015	pred = new StreamPredictor(this, predictor, columns, colors, bits);	1030	pred = new StreamPredictor(this, predictor, columns, colors, bits);
		1031	if (!pred->isOk()) {
		1032	delete pred;
		1033	pred = NULL;
		1034	}
1016	} else {	1035	} else {
1017	pred = NULL;	1036	pred = NULL;
1018	}	1037	}
Lines 1261-1266 CCITTFaxStream::CCITTFaxStream(Stream *s Link Here
1261	endOfLine = endOfLineA;	1280	endOfLine = endOfLineA;
1262	byteAlign = byteAlignA;	1281	byteAlign = byteAlignA;
1263	columns = columnsA;	1282	columns = columnsA;
		1283	if (columns < 1 \|\| columns >= INT_MAX / sizeof(short)) {
		1284	error(-1, "invalid number of columns");
		1285	exit(1);
		1286	}
1264	rows = rowsA;	1287	rows = rowsA;
1265	endOfBlock = endOfBlockA;	1288	endOfBlock = endOfBlockA;
1266	black = blackA;	1289	black = blackA;
Lines 2899-2904 GBool DCTStream::readBaselineSOF() { Link Here
2899	height = read16();	2922	height = read16();
2900	width = read16();	2923	width = read16();
2901	numComps = str->getChar();	2924	numComps = str->getChar();
		2925	if (numComps <= 0 \|\| numComps > 4) {
		2926	numComps = 0;
		2927	error(getPos(), "Bad number of components in DCT stream");
		2928	return gFalse;
		2929	}
2902	if (prec != 8) {	2930	if (prec != 8) {
2903	error(getPos(), "Bad DCT precision %d", prec);	2931	error(getPos(), "Bad DCT precision %d", prec);
2904	return gFalse;	2932	return gFalse;
Lines 2925-2930 GBool DCTStream::readProgressiveSOF() { Link Here
2925	height = read16();	2953	height = read16();
2926	width = read16();	2954	width = read16();
2927	numComps = str->getChar();	2955	numComps = str->getChar();
		2956	if (numComps <= 0 \|\| numComps > 4) {
		2957	numComps = 0;
		2958	error(getPos(), "Bad number of components in DCT stream");
		2959	return gFalse;
		2960	}
2928	if (prec != 8) {	2961	if (prec != 8) {
2929	error(getPos(), "Bad DCT precision %d", prec);	2962	error(getPos(), "Bad DCT precision %d", prec);
2930	return gFalse;	2963	return gFalse;
Lines 2947-2952 GBool DCTStream::readScanInfo() { Link Here
2947		2980
2948	length = read16() - 2;	2981	length = read16() - 2;
2949	scanInfo.numComps = str->getChar();	2982	scanInfo.numComps = str->getChar();
		2983	if (scanInfo.numComps <= 0 \|\| scanInfo.numComps > 4) {
		2984	scanInfo.numComps = 0;
		2985	error(getPos(), "Bad number of components in DCT stream");
		2986	return gFalse;
		2987	}
2950	--length;	2988	--length;
2951	if (length != 2 * scanInfo.numComps + 3) {	2989	if (length != 2 * scanInfo.numComps + 3) {
2952	error(getPos(), "Bad DCT scan info block");	2990	error(getPos(), "Bad DCT scan info block");
Lines 3021-3032 GBool DCTStream::readHuffmanTables() { Link Here
3021	while (length > 0) {	3059	while (length > 0) {
3022	index = str->getChar();	3060	index = str->getChar();
3023	--length;	3061	--length;
3024	if ((index & 0x0f) >= 4) {	3062	if ((index & ~0x10) >= 4 \|\| (index & ~0x10) < 0) {
3025	error(getPos(), "Bad DCT Huffman table");	3063	error(getPos(), "Bad DCT Huffman table");
3026	return gFalse;	3064	return gFalse;
3027	}	3065	}
3028	if (index & 0x10) {	3066	if (index & 0x10) {
3029	index &= 0x0f;	3067	index &= 0x03;
3030	if (index >= numACHuffTables)	3068	if (index >= numACHuffTables)
3031	numACHuffTables = index+1;	3069	numACHuffTables = index+1;
3032	tbl = &acHuffTables[index];	3070	tbl = &acHuffTables[index];
Lines 3144-3152 int DCTStream::readMarker() { Link Here
3144	do {	3182	do {
3145	do {	3183	do {
3146	c = str->getChar();	3184	c = str->getChar();
		3185	if(c == EOF) return EOF;
3147	} while (c != 0xff);	3186	} while (c != 0xff);
3148	do {	3187	do {
3149	c = str->getChar();	3188	c = str->getChar();
		3189	if(c == EOF) return EOF;
3150	} while (c == 0xff);	3190	} while (c == 0xff);
3151	} while (c == 0x00);	3191	} while (c == 0x00);
3152	return c;	3192	return c;
Lines 3258-3263 FlateStream::FlateStream(Stream *strA, i Link Here
3258	FilterStream(strA) {	3298	FilterStream(strA) {
3259	if (predictor != 1) {	3299	if (predictor != 1) {
3260	pred = new StreamPredictor(this, predictor, columns, colors, bits);	3300	pred = new StreamPredictor(this, predictor, columns, colors, bits);
		3301	if (!pred->isOk()) {
		3302	delete pred;
		3303	pred = NULL;
		3304	}
3261	} else {	3305	} else {
3262	pred = NULL;	3306	pred = NULL;
3263	}	3307	}

Lines 233-238 public: Link Here

(-)kpdf/xpdf/xpdf/Stream.h (+3 lines)
233		233
234	~StreamPredictor();	234	~StreamPredictor();
235		235
		236	GBool isOk() { return ok; }
		237
236	int lookChar();	238	int lookChar();
237	int getChar();	239	int getChar();
238		240
Lines 250-255 private: Link Here
250	int rowBytes; // bytes per line	252	int rowBytes; // bytes per line
251	Guchar *predLine; // line buffer	253	Guchar *predLine; // line buffer
252	int predIdx; // current index in predLine	254	int predIdx; // current index in predLine
		255	GBool ok;
253	};	256	};
254		257
255	//------------------------------------------------------------------------	258	//------------------------------------------------------------------------

Lines 7-12 Link Here

(-)kpdf/xpdf/xpdf/JPXStream.cc (-3 / +8 lines)
7	//========================================================================	7	//========================================================================
8		8
9	#include <aconf.h>	9	#include <aconf.h>
		10	#include <limits.h>
10		11
11	#ifdef USE_GCC_PRAGMAS	12	#ifdef USE_GCC_PRAGMAS
12	#pragma implementation	13	#pragma implementation
Lines 666-672 GBool JPXStream::readCodestream(Guint /* Link Here
666	int segType;	667	int segType;
667	GBool haveSIZ, haveCOD, haveQCD, haveSOT;	668	GBool haveSIZ, haveCOD, haveQCD, haveSOT;
668	Guint precinctSize, style;	669	Guint precinctSize, style;
669	Guint segLen, capabilities, comp, i, j, r;	670	Guint segLen, capabilities, nTiles, comp, i, j, r;
670		671
671	//----- main header	672	//----- main header
672	haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;	673	haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
Lines 701-708 GBool JPXStream::readCodestream(Guint /* Link Here
701	/ img.xTileSize;	702	/ img.xTileSize;
702	img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)	703	img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
703	/ img.yTileSize;	704	/ img.yTileSize;
704	img.tiles = (JPXTile )gmalloc(img.nXTiles img.nYTiles *	705	nTiles = img.nXTiles * img.nYTiles;
705	sizeof(JPXTile));	706	if (img.nXTiles <= 0 \|\| img.nYTiles <= 0 \|\| img.nXTiles >= INT_MAX / img.nYTiles) {
		707	error(getPos(), "Bad tile count in JPX SIZ marker segment");
		708	return gFalse;
		709	}
		710	img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
706	for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {	711	for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
707	img.tiles[i].tileComps = (JPXTileComp )gmalloc(img.nComps	712	img.tiles[i].tileComps = (JPXTileComp )gmalloc(img.nComps
708	sizeof(JPXTileComp));	713	sizeof(JPXTileComp));




#include <stdlib.h>
#include <stddef.h>
#include <string.h>
#include <limits.h>
#include "gmem.h"

#ifdef DEBUG_MEM

#endif
}

void *gmallocn(int nObjs, int objSize) {
  int n;

  n = nObjs * objSize;
  if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
    fprintf(stderr, "Bogus memory allocation size\n");
    exit(1);
  }
  return gmalloc(n);
}

void *greallocn(void *p, int nObjs, int objSize) {
  int n;

  n = nObjs * objSize;
  if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
    fprintf(stderr, "Bogus memory allocation size\n");
    exit(1);
  }
  return grealloc(p, n);
}

#ifdef DEBUG_MEM
void gMemReport(FILE *f) {
  GMemHdr *p;

Lines 28-33 extern void *gmalloc(size_t size); Link Here

(-)kpdf/xpdf/goo/gmem.h (+9 lines)
28	extern void grealloc(void p, size_t size);	28	extern void grealloc(void p, size_t size);
29		29
30	/*	30	/*
		31	* These are similar to gmalloc and grealloc, but take an object count
		32	* and size. The result is similar to allocating nObjs * objSize
		33	* bytes, but there is an additional error check that the total size
		34	* doesn't overflow an int.
		35	*/
		36	extern void *gmallocn(int nObjs, int objSize);
		37	extern void greallocn(void p, int nObjs, int objSize);
		38
		39	/*
31	* Same as free, but checks for and ignores NULL pointers.	40	* Same as free, but checks for and ignores NULL pointers.
32	*/	41	*/
33	extern void gfree(void *p);	42	extern void gfree(void *p);

Return to bug 115851

Lines 11-16 Link Here

(-)kpdf/xpdf/goo/gmem.c (+23 lines)
11	#include <stdlib.h>	11	#include <stdlib.h>
12	#include <stddef.h>	12	#include <stddef.h>
13	#include <string.h>	13	#include <string.h>
		14	#include <limits.h>
14	#include "gmem.h"	15	#include "gmem.h"
15		16
16	#ifdef DEBUG_MEM	17	#ifdef DEBUG_MEM
Lines 175-180 void gfree(void *p) { Link Here
175	#endif	176	#endif
176	}	177	}
177		178
		179	void *gmallocn(int nObjs, int objSize) {
		180	int n;
		181
		182	n = nObjs * objSize;
		183	if (objSize <= 0 \|\| nObjs < 0 \|\| nObjs >= INT_MAX / objSize) {
		184	fprintf(stderr, "Bogus memory allocation size\n");
		185	exit(1);
		186	}
		187	return gmalloc(n);
		188	}
		189
		190	void greallocn(void p, int nObjs, int objSize) {
		191	int n;
		192
		193	n = nObjs * objSize;
		194	if (objSize <= 0 \|\| nObjs < 0 \|\| nObjs >= INT_MAX / objSize) {
		195	fprintf(stderr, "Bogus memory allocation size\n");
		196	exit(1);
		197	}
		198	return grealloc(p, n);
		199	}
		200
178	#ifdef DEBUG_MEM	201	#ifdef DEBUG_MEM
179	void gMemReport(FILE *f) {	202	void gMemReport(FILE *f) {
180	GMemHdr *p;	203	GMemHdr *p;