diff options
Diffstat (limited to 'poppler')
| -rw-r--r-- | poppler/JBIG2Stream.cc | 12 | ||||
| -rw-r--r-- | poppler/Stream.cc | 4 | ||||
| -rw-r--r-- | poppler/Stream.h | 2 |
3 files changed, 14 insertions, 4 deletions
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc index 495272bb..007d9f01 100644 --- a/poppler/JBIG2Stream.cc +++ b/poppler/JBIG2Stream.cc @@ -683,7 +683,7 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, int wA, int hA): h = hA; line = (wA + 7) >> 3; - if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) { + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { error(-1, "invalid width/height"); data = NULL; return; @@ -701,7 +701,7 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap): h = bitmap->h; line = bitmap->line; - if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) { + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { error(-1, "invalid width/height"); data = NULL; return; @@ -2268,6 +2268,14 @@ void JBIG2Stream::readHalftoneRegionSeg(Guint segNum, GBool imm, !readUWord(&stepX) || !readUWord(&stepY)) { goto eofError; } + if (w == 0 || h == 0 || w >= INT_MAX / h) { + error(getPos(), "Bad bitmap size in JBIG2 halftone segment"); + return; + } + if (gridH == 0 || gridW >= INT_MAX / gridH) { + error(getPos(), "Bad grid size in JBIG2 halftone segment"); + return; + } // get pattern dictionary if (nRefSegs != 1) { diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 96b18705..37dcfd52 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -426,7 +426,8 @@ StreamPredictor::StreamPredictor(Stream *strA, int predictorA, if (width <= 0 || nComps <= 0 || nBits <= 0 || nComps >= INT_MAX/nBits || - width >= INT_MAX/nComps/nBits) { + width >= INT_MAX/nComps/nBits || + nVals * nBits + 7 < 0) { return; } nVals = width * nComps; @@ -3078,6 +3079,7 @@ GBool DCTStream::readHuffmanTables() { numACHuffTables = index+1; tbl = &acHuffTables[index]; } else { + index &= 0x0f; if (index >= numDCHuffTables) numDCHuffTables = index+1; tbl = &dcHuffTables[index]; diff --git a/poppler/Stream.h b/poppler/Stream.h index 982e5616..4dadfe89 100644 --- a/poppler/Stream.h +++ b/poppler/Stream.h @@ -532,7 +532,7 @@ private: short getWhiteCode(); short getBlackCode(); short lookBits(int n); - void eatBits(int n) { inputBits -= n; } + void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; } }; #ifndef ENABLE_LIBJPEG |