summaryrefslogtreecommitdiff
authorAlbert Astals Cid <aacid@kde.org>2010-11-02 19:14:34 (GMT)
committer Albert Astals Cid <aacid@kde.org>2010-11-02 19:14:34 (GMT)
commitcad66a7d25abdb6aa15f3aa94a35737b119b2659 (patch) (side-by-side diff)
treee02db76083ae9e514a2a4794eff624eb655d8952
parent7e5f31c1c41193c6e49355970e6d027b91d45825 (diff)
downloadpoppler-cad66a7d25abdb6aa15f3aa94a35737b119b2659.zip
poppler-cad66a7d25abdb6aa15f3aa94a35737b119b2659.tar.gz
Fix crash in broken documents
mapLen = (code + 256) & ~255; can wrap and you end up with mapLen < code that is not what you wanted
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--poppler/CharCodeToUnicode.cc16
1 files changed, 11 insertions, 5 deletions
diff --git a/poppler/CharCodeToUnicode.cc b/poppler/CharCodeToUnicode.cc
index 1835ddd..3cfa402 100644
--- a/poppler/CharCodeToUnicode.cc
+++ b/poppler/CharCodeToUnicode.cc
@@ -13,7 +13,7 @@
// All changes made under the Poppler project to this file are licensed
// under GPL version 2 or later
//
-// Copyright (C) 2006, 2008, 2009 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2007 Julien Rebetez <julienr@svn.gnome.org>
// Copyright (C) 2007 Koji Otani <sho@bbr.jp>
// Copyright (C) 2008 Michael Vrable <mvrable@cs.ucsd.edu>
@@ -36,6 +36,7 @@
#include <string.h>
#include "goo/gmem.h"
#include "goo/gfile.h"
+#include "goo/GooLikely.h"
#include "goo/GooString.h"
#include "Error.h"
#include "GlobalParams.h"
@@ -366,10 +367,15 @@ void CharCodeToUnicode::addMapping(CharCode code, char *uStr, int n,
if (code >= mapLen) {
oldLen = mapLen;
mapLen = (code + 256) & ~255;
- map = (Unicode *)greallocn(map, mapLen, sizeof(Unicode));
- for (i = oldLen; i < mapLen; ++i) {
- map[i] = 0;
- }
+ if (unlikely(code >= mapLen)) {
+ error(-1, "Illegal code value in CharCodeToUnicode::addMapping");
+ return;
+ } else {
+ map = (Unicode *)greallocn(map, mapLen, sizeof(Unicode));
+ for (i = oldLen; i < mapLen; ++i) {
+ map[i] = 0;
+ }
+ }
}
if (n <= 4) {
if (sscanf(uStr, "%x", &u) != 1) {