SOURCES: xpdf-3.01pl1.patch (NEW) - CAN-2005-3191, CAN-2005-3192

havner havner at pld-linux.org
Wed Dec 7 13:05:09 CET 2005


Author: havner                       Date: Wed Dec  7 12:05:09 2005 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- CAN-2005-3191, CAN-2005-3192  

---- Files affected:
SOURCES:
   xpdf-3.01pl1.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/xpdf-3.01pl1.patch
diff -u /dev/null SOURCES/xpdf-3.01pl1.patch:1.1
--- /dev/null	Wed Dec  7 13:05:09 2005
+++ SOURCES/xpdf-3.01pl1.patch	Wed Dec  7 13:05:04 2005
@@ -0,0 +1,168 @@
+diff -c -r xpdf-3.01-orig/xpdf/JPXStream.cc xpdf-3.01/xpdf/JPXStream.cc
+*** xpdf-3.01-orig/xpdf/JPXStream.cc	Tue Aug 16 22:34:31 2005
+--- xpdf-3.01/xpdf/JPXStream.cc	Thu Nov  3 16:50:39 2005
+***************
+*** 783,789 ****
+    int segType;
+    GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+    Guint precinctSize, style;
+!   Guint segLen, capabilities, comp, i, j, r;
+  
+    //----- main header
+    haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+--- 783,789 ----
+    int segType;
+    GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+    Guint precinctSize, style;
+!   Guint segLen, capabilities, nTiles, comp, i, j, r;
+  
+    //----- main header
+    haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+***************
+*** 818,825 ****
+  	            / img.xTileSize;
+        img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+  	            / img.yTileSize;
+!       img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles,
+! 				      sizeof(JPXTile));
+        for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+  	img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps,
+  							 sizeof(JPXTileComp));
+--- 818,830 ----
+  	            / img.xTileSize;
+        img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+  	            / img.yTileSize;
+!       nTiles = img.nXTiles * img.nYTiles;
+!       // check for overflow before allocating memory
+!       if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
+! 	error(getPos(), "Bad tile count in JPX SIZ marker segment");
+! 	return gFalse;
+!       }
+!       img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
+        for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+  	img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps,
+  							 sizeof(JPXTileComp));
+diff -c -r xpdf-3.01-orig/xpdf/Stream.cc xpdf-3.01/xpdf/Stream.cc
+*** xpdf-3.01-orig/xpdf/Stream.cc	Tue Aug 16 22:34:31 2005
+--- xpdf-3.01/xpdf/Stream.cc	Thu Nov  3 16:50:39 2005
+***************
+*** 401,418 ****
+  
+  StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+  				 int widthA, int nCompsA, int nBitsA) {
+    str = strA;
+    predictor = predictorA;
+    width = widthA;
+    nComps = nCompsA;
+    nBits = nBitsA;
+  
+    nVals = width * nComps;
+    pixBytes = (nComps * nBits + 7) >> 3;
+!   rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+    predLine = (Guchar *)gmalloc(rowBytes);
+    memset(predLine, 0, rowBytes);
+    predIdx = rowBytes;
+  }
+  
+  StreamPredictor::~StreamPredictor() {
+--- 401,433 ----
+  
+  StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+  				 int widthA, int nCompsA, int nBitsA) {
++   int totalBits;
++ 
+    str = strA;
+    predictor = predictorA;
+    width = widthA;
+    nComps = nCompsA;
+    nBits = nBitsA;
++   predLine = NULL;
++   ok = gFalse;
+  
+    nVals = width * nComps;
++   totalBits = nVals * nBits;
++   if (totalBits == 0 ||
++       (totalBits / nBits) / nComps != width ||
++       totalBits + 7 < 0) {
++     return;
++   }
+    pixBytes = (nComps * nBits + 7) >> 3;
+!   rowBytes = ((totalBits + 7) >> 3) + pixBytes;
+!   if (rowBytes < 0) {
+!     return;
+!   }
+    predLine = (Guchar *)gmalloc(rowBytes);
+    memset(predLine, 0, rowBytes);
+    predIdx = rowBytes;
++ 
++   ok = gTrue;
+  }
+  
+  StreamPredictor::~StreamPredictor() {
+***************
+*** 1004,1009 ****
+--- 1019,1028 ----
+      FilterStream(strA) {
+    if (predictor != 1) {
+      pred = new StreamPredictor(this, predictor, columns, colors, bits);
++     if (!pred->isOk()) {
++       delete pred;
++       pred = NULL;
++     }
+    } else {
+      pred = NULL;
+    }
+***************
+*** 2899,2904 ****
+--- 2918,2931 ----
+    height = read16();
+    width = read16();
+    numComps = str->getChar();
++   if (numComps <= 0 || numComps > 4) {
++     error(getPos(), "Bad number of components in DCT stream", prec);
++     return gFalse;
++   }
++   if (numComps <= 0 || numComps > 4) {
++     error(getPos(), "Bad number of components in DCT stream", prec);
++     return gFalse;
++   }
+    if (prec != 8) {
+      error(getPos(), "Bad DCT precision %d", prec);
+      return gFalse;
+***************
+*** 3827,3832 ****
+--- 3854,3863 ----
+      FilterStream(strA) {
+    if (predictor != 1) {
+      pred = new StreamPredictor(this, predictor, columns, colors, bits);
++     if (!pred->isOk()) {
++       delete pred;
++       pred = NULL;
++     }
+    } else {
+      pred = NULL;
+    }
+diff -c -r xpdf-3.01-orig/xpdf/Stream.h xpdf-3.01/xpdf/Stream.h
+*** xpdf-3.01-orig/xpdf/Stream.h	Tue Aug 16 22:34:31 2005
+--- xpdf-3.01/xpdf/Stream.h	Thu Nov  3 16:50:39 2005
+***************
+*** 232,237 ****
+--- 232,239 ----
+  
+    ~StreamPredictor();
+  
++   GBool isOk() { return ok; }
++ 
+    int lookChar();
+    int getChar();
+  
+***************
+*** 249,254 ****
+--- 251,257 ----
+    int rowBytes;			// bytes per line
+    Guchar *predLine;		// line buffer
+    int predIdx;			// current index in predLine
++   GBool ok;
+  };
+  
+  //------------------------------------------------------------------------
================================================================



More information about the pld-cvs-commit mailing list