summaryrefslogtreecommitdiff
path: root/poppler
diff options
context:
space:
mode:
authorKristian Høgsberg <krh@redhat.com>2006-02-28 19:59:58 +0000
committerKristian Høgsberg <krh@redhat.com>2006-02-28 19:59:58 +0000
commitb9e951ac68b9977ab7217ad0346bcf46a3fa3dfe (patch)
tree855f88919a26b6c71275de7a6d083b678ee4373d /poppler
parent46db73a142d65a0c944910388d5971debc06ecbf (diff)
2006-02-28 Kristian Høgsberg <krh@redhat.com>
* goo/gmem.c: (gmalloc), (grealloc): * poppler/JBIG2Stream.cc: * poppler/Stream.cc: * poppler/Stream.h: * splash/SplashXPathScanner.cc: More integer overflow fixes from Derek Noonburg (#5922).
Diffstat (limited to 'poppler')
-rw-r--r--poppler/JBIG2Stream.cc12
-rw-r--r--poppler/Stream.cc7
-rw-r--r--poppler/Stream.h2
3 files changed, 18 insertions, 3 deletions
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 337f5ccc..05b1ab22 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -683,7 +683,7 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, int wA, int hA):
h = hA;
line = (wA + 7) >> 3;
- if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
error(-1, "invalid width/height");
data = NULL;
return;
@@ -700,7 +700,7 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
h = bitmap->h;
line = bitmap->line;
- if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
error(-1, "invalid width/height");
data = NULL;
return;
@@ -2310,6 +2310,14 @@ void JBIG2Stream::readHalftoneRegionSeg(Guint segNum, GBool imm,
!readUWord(&stepX) || !readUWord(&stepY)) {
goto eofError;
}
+ if (w == 0 || h == 0 || w >= INT_MAX / h) {
+ error(getPos(), "Bad bitmap size in JBIG2 halftone segment");
+ return;
+ }
+ if (gridH == 0 || gridW >= INT_MAX / gridH) {
+ error(getPos(), "Bad grid size in JBIG2 halftone segment");
+ return;
+ }
// get pattern dictionary
if (nRefSegs != 1) {
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index ff27ca7b..cd017a58 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -421,6 +421,12 @@ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
predLine = NULL;
ok = gFalse;
+ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+ nComps >= INT_MAX/nBits ||
+ width >= INT_MAX/nComps/nBits ||
+ nVals * nBits + 7 < 0) {
+ return;
+ }
nVals = width * nComps;
totalBits = nVals * nBits;
if (totalBits == 0 ||
@@ -3082,6 +3088,7 @@ GBool DCTStream::readHuffmanTables() {
numACHuffTables = index+1;
tbl = &acHuffTables[index];
} else {
+ index &= 0x0f;
if (index >= numDCHuffTables)
numDCHuffTables = index+1;
tbl = &dcHuffTables[index];
diff --git a/poppler/Stream.h b/poppler/Stream.h
index d8a546b7..2b8dfd25 100644
--- a/poppler/Stream.h
+++ b/poppler/Stream.h
@@ -528,7 +528,7 @@ private:
short getWhiteCode();
short getBlackCode();
short lookBits(int n);
- void eatBits(int n) { inputBits -= n; }
+ void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; }
};
#ifndef ENABLE_LIBJPEG