From 1161e728de9ca7c9a5fb0e24c4a5e4a79c65a849 Mon Sep 17 00:00:00 2001 From: Thomas Freitag Date: Sat, 12 Jul 2014 17:04:42 +0200 Subject: Error out instead of exiting if allInter grows too much Bug #78714 --- splash/SplashXPathScanner.cc | 25 +++++++++++++++++-------- splash/SplashXPathScanner.h | 2 +- 2 files changed, 18 insertions(+), 9 deletions(-) (limited to 'splash') diff --git a/splash/SplashXPathScanner.cc b/splash/SplashXPathScanner.cc index 52ac1c27..5ca18110 100644 --- a/splash/SplashXPathScanner.cc +++ b/splash/SplashXPathScanner.cc @@ -272,8 +272,9 @@ void SplashXPathScanner::computeIntersections() { if (seg->flags & splashXPathHoriz) { y = splashFloor(seg->y0); if (y >= yMin && y <= yMax) { - addIntersection(segYMin, segYMax, seg->flags, - y, splashFloor(seg->x0), splashFloor(seg->x1)); + if (!addIntersection(segYMin, segYMax, seg->flags, + y, splashFloor(seg->x0), splashFloor(seg->x1))) + break; } } else if (seg->flags & splashXPathVert) { y0 = splashFloor(segYMin); @@ -286,7 +287,8 @@ void SplashXPathScanner::computeIntersections() { } x = splashFloor(seg->x0); for (y = y0; y <= y1; ++y) { - addIntersection(segYMin, segYMax, seg->flags, y, x, x); + if (!addIntersection(segYMin, segYMax, seg->flags, y, x, x)) + break; } } else { if (seg->x0 < seg->x1) { @@ -321,8 +323,9 @@ void SplashXPathScanner::computeIntersections() { } else if (xx1 > segXMax) { xx1 = segXMax; } - addIntersection(segYMin, segYMax, seg->flags, y, - splashFloor(xx0), splashFloor(xx1)); + if (!addIntersection(segYMin, segYMax, seg->flags, y, + splashFloor(xx0), splashFloor(xx1))) + break; } } } @@ -340,12 +343,17 @@ void SplashXPathScanner::computeIntersections() { inter[yMax - yMin + 1] = i; } -void SplashXPathScanner::addIntersection(double segYMin, double segYMax, +GBool SplashXPathScanner::addIntersection(double segYMin, double segYMax, Guint segFlags, int y, int x0, int x1) { if (allInterLen == allInterSize) { - allInterSize *= 2; - allInter = (SplashIntersect *)greallocn(allInter, allInterSize, + unsigned int newInterSize = ((unsigned int) allInterSize * 2 > INT_MAX / sizeof(SplashIntersect)) ? allInterSize + 32768 : allInterSize * 2; + if (newInterSize >= INT_MAX / sizeof(SplashIntersect)) { + error(errInternal, -1, "Bogus memory allocation size in SplashXPathScanner::addIntersection {0:d}", newInterSize); + return gFalse; + } + allInterSize = newInterSize; + allInter = (SplashIntersect *)greallocn(allInter, newInterSize, sizeof(SplashIntersect)); } allInter[allInterLen].y = y; @@ -365,6 +373,7 @@ void SplashXPathScanner::addIntersection(double segYMin, double segYMax, allInter[allInterLen].count = 0; } ++allInterLen; + return gTrue; } void SplashXPathScanner::renderAALine(SplashBitmap *aaBuf, diff --git a/splash/SplashXPathScanner.h b/splash/SplashXPathScanner.h index b59e3068..53bd22de 100644 --- a/splash/SplashXPathScanner.h +++ b/splash/SplashXPathScanner.h @@ -85,7 +85,7 @@ public: private: void computeIntersections(); - void addIntersection(double segYMin, double segYMax, + GBool addIntersection(double segYMin, double segYMax, Guint segFlags, int y, int x0, int x1); -- cgit v1.2.3