SOURCES: xpdf-3.01pl1.patch (NEW) - CAN-2005-3191, CAN-2005-3192
havner
havner at pld-linux.org
Wed Dec 7 13:05:09 CET 2005
Author: havner Date: Wed Dec 7 12:05:09 2005 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- CAN-2005-3191, CAN-2005-3192
---- Files affected:
SOURCES:
xpdf-3.01pl1.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/xpdf-3.01pl1.patch
diff -u /dev/null SOURCES/xpdf-3.01pl1.patch:1.1
--- /dev/null Wed Dec 7 13:05:09 2005
+++ SOURCES/xpdf-3.01pl1.patch Wed Dec 7 13:05:04 2005
@@ -0,0 +1,168 @@
+diff -c -r xpdf-3.01-orig/xpdf/JPXStream.cc xpdf-3.01/xpdf/JPXStream.cc
+*** xpdf-3.01-orig/xpdf/JPXStream.cc Tue Aug 16 22:34:31 2005
+--- xpdf-3.01/xpdf/JPXStream.cc Thu Nov 3 16:50:39 2005
+***************
+*** 783,789 ****
+ int segType;
+ GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+ Guint precinctSize, style;
+! Guint segLen, capabilities, comp, i, j, r;
+
+ //----- main header
+ haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+--- 783,789 ----
+ int segType;
+ GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+ Guint precinctSize, style;
+! Guint segLen, capabilities, nTiles, comp, i, j, r;
+
+ //----- main header
+ haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+***************
+*** 818,825 ****
+ / img.xTileSize;
+ img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ / img.yTileSize;
+! img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles,
+! sizeof(JPXTile));
+ for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+ img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps,
+ sizeof(JPXTileComp));
+--- 818,830 ----
+ / img.xTileSize;
+ img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ / img.yTileSize;
+! nTiles = img.nXTiles * img.nYTiles;
+! // check for overflow before allocating memory
+! if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
+! error(getPos(), "Bad tile count in JPX SIZ marker segment");
+! return gFalse;
+! }
+! img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
+ for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+ img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps,
+ sizeof(JPXTileComp));
+diff -c -r xpdf-3.01-orig/xpdf/Stream.cc xpdf-3.01/xpdf/Stream.cc
+*** xpdf-3.01-orig/xpdf/Stream.cc Tue Aug 16 22:34:31 2005
+--- xpdf-3.01/xpdf/Stream.cc Thu Nov 3 16:50:39 2005
+***************
+*** 401,418 ****
+
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ int widthA, int nCompsA, int nBitsA) {
+ str = strA;
+ predictor = predictorA;
+ width = widthA;
+ nComps = nCompsA;
+ nBits = nBitsA;
+
+ nVals = width * nComps;
+ pixBytes = (nComps * nBits + 7) >> 3;
+! rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+ predLine = (Guchar *)gmalloc(rowBytes);
+ memset(predLine, 0, rowBytes);
+ predIdx = rowBytes;
+ }
+
+ StreamPredictor::~StreamPredictor() {
+--- 401,433 ----
+
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ int widthA, int nCompsA, int nBitsA) {
++ int totalBits;
++
+ str = strA;
+ predictor = predictorA;
+ width = widthA;
+ nComps = nCompsA;
+ nBits = nBitsA;
++ predLine = NULL;
++ ok = gFalse;
+
+ nVals = width * nComps;
++ totalBits = nVals * nBits;
++ if (totalBits == 0 ||
++ (totalBits / nBits) / nComps != width ||
++ totalBits + 7 < 0) {
++ return;
++ }
+ pixBytes = (nComps * nBits + 7) >> 3;
+! rowBytes = ((totalBits + 7) >> 3) + pixBytes;
+! if (rowBytes < 0) {
+! return;
+! }
+ predLine = (Guchar *)gmalloc(rowBytes);
+ memset(predLine, 0, rowBytes);
+ predIdx = rowBytes;
++
++ ok = gTrue;
+ }
+
+ StreamPredictor::~StreamPredictor() {
+***************
+*** 1004,1009 ****
+--- 1019,1028 ----
+ FilterStream(strA) {
+ if (predictor != 1) {
+ pred = new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred = NULL;
++ }
+ } else {
+ pred = NULL;
+ }
+***************
+*** 2899,2904 ****
+--- 2918,2931 ----
+ height = read16();
+ width = read16();
+ numComps = str->getChar();
++ if (numComps <= 0 || numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream", prec);
++ return gFalse;
++ }
++ if (numComps <= 0 || numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream", prec);
++ return gFalse;
++ }
+ if (prec != 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+***************
+*** 3827,3832 ****
+--- 3854,3863 ----
+ FilterStream(strA) {
+ if (predictor != 1) {
+ pred = new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred = NULL;
++ }
+ } else {
+ pred = NULL;
+ }
+diff -c -r xpdf-3.01-orig/xpdf/Stream.h xpdf-3.01/xpdf/Stream.h
+*** xpdf-3.01-orig/xpdf/Stream.h Tue Aug 16 22:34:31 2005
+--- xpdf-3.01/xpdf/Stream.h Thu Nov 3 16:50:39 2005
+***************
+*** 232,237 ****
+--- 232,239 ----
+
+ ~StreamPredictor();
+
++ GBool isOk() { return ok; }
++
+ int lookChar();
+ int getChar();
+
+***************
+*** 249,254 ****
+--- 251,257 ----
+ int rowBytes; // bytes per line
+ Guchar *predLine; // line buffer
+ int predIdx; // current index in predLine
++ GBool ok;
+ };
+
+ //------------------------------------------------------------------------
================================================================
More information about the pld-cvs-commit
mailing list