diff options
| author | Thomas Freitag <Thomas.Freitag@alfa.de> | 2014-07-12 17:04:42 +0200 |
|---|---|---|
| committer | Albert Astals Cid <aacid@kde.org> | 2014-07-12 17:05:21 +0200 |
| commit | 1161e728de9ca7c9a5fb0e24c4a5e4a79c65a849 (patch) | |
| tree | b020f376605ca2977e1b204753af7fb8a2583f86 | |
| parent | e82a24a585d251f767725f61700dc1f8fe169a52 (diff) | |
Error out instead of exiting if allInter grows too much
Bug #78714
| -rw-r--r-- | splash/SplashXPathScanner.cc | 25 | ||||
| -rw-r--r-- | splash/SplashXPathScanner.h | 2 |
2 files changed, 18 insertions, 9 deletions
diff --git a/splash/SplashXPathScanner.cc b/splash/SplashXPathScanner.cc index 52ac1c27..5ca18110 100644 --- a/splash/SplashXPathScanner.cc +++ b/splash/SplashXPathScanner.cc @@ -272,8 +272,9 @@ void SplashXPathScanner::computeIntersections() { if (seg->flags & splashXPathHoriz) { y = splashFloor(seg->y0); if (y >= yMin && y <= yMax) { - addIntersection(segYMin, segYMax, seg->flags, - y, splashFloor(seg->x0), splashFloor(seg->x1)); + if (!addIntersection(segYMin, segYMax, seg->flags, + y, splashFloor(seg->x0), splashFloor(seg->x1))) + break; } } else if (seg->flags & splashXPathVert) { y0 = splashFloor(segYMin); @@ -286,7 +287,8 @@ void SplashXPathScanner::computeIntersections() { } x = splashFloor(seg->x0); for (y = y0; y <= y1; ++y) { - addIntersection(segYMin, segYMax, seg->flags, y, x, x); + if (!addIntersection(segYMin, segYMax, seg->flags, y, x, x)) + break; } } else { if (seg->x0 < seg->x1) { @@ -321,8 +323,9 @@ void SplashXPathScanner::computeIntersections() { } else if (xx1 > segXMax) { xx1 = segXMax; } - addIntersection(segYMin, segYMax, seg->flags, y, - splashFloor(xx0), splashFloor(xx1)); + if (!addIntersection(segYMin, segYMax, seg->flags, y, + splashFloor(xx0), splashFloor(xx1))) + break; } } } @@ -340,12 +343,17 @@ void SplashXPathScanner::computeIntersections() { inter[yMax - yMin + 1] = i; } -void SplashXPathScanner::addIntersection(double segYMin, double segYMax, +GBool SplashXPathScanner::addIntersection(double segYMin, double segYMax, Guint segFlags, int y, int x0, int x1) { if (allInterLen == allInterSize) { - allInterSize *= 2; - allInter = (SplashIntersect *)greallocn(allInter, allInterSize, + unsigned int newInterSize = ((unsigned int) allInterSize * 2 > INT_MAX / sizeof(SplashIntersect)) ? allInterSize + 32768 : allInterSize * 2; + if (newInterSize >= INT_MAX / sizeof(SplashIntersect)) { + error(errInternal, -1, "Bogus memory allocation size in SplashXPathScanner::addIntersection {0:d}", newInterSize); + return gFalse; + } + allInterSize = newInterSize; + allInter = (SplashIntersect *)greallocn(allInter, newInterSize, sizeof(SplashIntersect)); } allInter[allInterLen].y = y; @@ -365,6 +373,7 @@ void SplashXPathScanner::addIntersection(double segYMin, double segYMax, allInter[allInterLen].count = 0; } ++allInterLen; + return gTrue; } void SplashXPathScanner::renderAALine(SplashBitmap *aaBuf, diff --git a/splash/SplashXPathScanner.h b/splash/SplashXPathScanner.h index b59e3068..53bd22de 100644 --- a/splash/SplashXPathScanner.h +++ b/splash/SplashXPathScanner.h @@ -85,7 +85,7 @@ public: private: void computeIntersections(); - void addIntersection(double segYMin, double segYMax, + GBool addIntersection(double segYMin, double segYMax, Guint segFlags, int y, int x0, int x1); |