1
#! /bin/sh /usr/share/dpatch/dpatch-run
2
## 30_3.01pl2.dpatch by <hamish@debian.org>
4
## All lines beginning with `## DP:' are a description of the patch.
5
## DP: xpdf 3.01pl2 patch provided by upstream
8
diff -urNad xpdf-3.01~/goo/gmem.c xpdf-3.01/goo/gmem.c
9
--- xpdf-3.01~/goo/gmem.c 2006-02-16 00:14:11.000000000 +1100
10
+++ xpdf-3.01/goo/gmem.c 2006-02-16 00:14:28.000000000 +1100
21
unsigned long *trl, *p;
26
size1 = gMemDataSize(size);
27
if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) {
35
if (!(p = malloc(size))) {
36
fprintf(stderr, "Out of memory\n");
56
void *gmallocn(int nObjs, size_t objSize) {
63
- if (objSize == 0 || n / objSize != nObjs) {
64
+ if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
65
fprintf(stderr, "Bogus memory allocation size\n");
69
void *greallocn(void *p, int nObjs, size_t objSize) {
79
- if (objSize == 0 || n / objSize != nObjs) {
80
+ if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
81
fprintf(stderr, "Bogus memory allocation size\n");
84
diff -urNad xpdf-3.01~/splash/SplashXPathScanner.cc xpdf-3.01/splash/SplashXPathScanner.cc
85
--- xpdf-3.01~/splash/SplashXPathScanner.cc 2005-08-17 15:34:31.000000000 +1000
86
+++ xpdf-3.01/splash/SplashXPathScanner.cc 2006-02-16 00:14:28.000000000 +1100
90
void SplashXPathScanner::computeIntersections(int y) {
91
- SplashCoord ySegMin, ySegMax, xx0, xx1;
92
+ SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1;
97
} else if (seg->flags & splashXPathVert) {
100
- if (ySegMin <= y) {
101
- // intersection with top edge
102
- xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
103
+ if (seg->x0 < seg->x1) {
107
- // x coord of segment endpoint with min y coord
108
- xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0;
112
- if (ySegMax >= y + 1) {
113
- // intersection with bottom edge
114
- xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
116
- // x coord of segment endpoint with max y coord
117
- xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1;
118
+ // intersection with top edge
119
+ xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
120
+ // intersection with bottom edge
121
+ xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
122
+ // the segment may not actually extend to the top and/or bottom edges
123
+ if (xx0 < xSegMin) {
125
+ } else if (xx0 > xSegMax) {
128
+ if (xx1 < xSegMin) {
130
+ } else if (xx1 > xSegMax) {
135
diff -urNad xpdf-3.01~/xpdf/JBIG2Stream.cc xpdf-3.01/xpdf/JBIG2Stream.cc
136
--- xpdf-3.01~/xpdf/JBIG2Stream.cc 2006-02-15 23:57:30.000000000 +1100
137
+++ xpdf-3.01/xpdf/JBIG2Stream.cc 2006-02-16 00:14:28.000000000 +1100
145
#include "JArithmeticDecoder.h"
149
line = (wA + 7) >> 3;
150
+ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
154
// need to allocate one extra guard byte for use in combine()
155
data = (Guchar *)gmalloc(h * line + 1);
161
+ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
165
// need to allocate one extra guard byte for use in combine()
166
data = (Guchar *)gmalloc(h * line + 1);
167
memcpy(data, bitmap->data, h * line);
171
void JBIG2Bitmap::expand(int newH, Guint pixel) {
173
+ if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) {
176
// need to allocate one extra guard byte for use in combine()
177
@@ -2294,6 +2303,14 @@
178
!readUWord(&stepX) || !readUWord(&stepY)) {
181
+ if (w == 0 || h == 0 || w >= INT_MAX / h) {
182
+ error(getPos(), "Bad bitmap size in JBIG2 halftone segment");
185
+ if (gridH == 0 || gridW >= INT_MAX / gridH) {
186
+ error(getPos(), "Bad grid size in JBIG2 halftone segment");
190
// get pattern dictionary
192
diff -urNad xpdf-3.01~/xpdf/JPXStream.cc xpdf-3.01/xpdf/JPXStream.cc
193
--- xpdf-3.01~/xpdf/JPXStream.cc 2006-02-15 23:57:30.000000000 +1100
194
+++ xpdf-3.01/xpdf/JPXStream.cc 2006-02-16 00:14:28.000000000 +1100
196
#pragma implementation
202
#include "JArithmeticDecoder.h"
205
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
207
+ // check for overflow before allocating memory
208
+ if (img.nXTiles <= 0 || img.nYTiles <= 0 ||
209
+ img.nXTiles >= INT_MAX / img.nYTiles) {
210
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
213
img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles,
215
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
216
diff -urNad xpdf-3.01~/xpdf/Stream.cc xpdf-3.01/xpdf/Stream.cc
217
--- xpdf-3.01~/xpdf/Stream.cc 2006-02-15 23:57:30.000000000 +1100
218
+++ xpdf-3.01/xpdf/Stream.cc 2006-02-16 00:14:28.000000000 +1100
227
@@ -406,13 +407,26 @@
234
nVals = width * nComps;
235
+ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
236
+ nComps >= INT_MAX / nBits ||
237
+ width >= INT_MAX / nComps / nBits ||
238
+ nVals * nBits + 7 < 0) {
241
pixBytes = (nComps * nBits + 7) >> 3;
242
rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
243
+ if (rowBytes <= 0) {
246
predLine = (Guchar *)gmalloc(rowBytes);
247
memset(predLine, 0, rowBytes);
253
StreamPredictor::~StreamPredictor() {
254
@@ -1004,6 +1018,10 @@
256
if (predictor != 1) {
257
pred = new StreamPredictor(this, predictor, columns, colors, bits);
258
+ if (!pred->isOk()) {
265
@@ -1259,6 +1277,9 @@
269
+ if (columns + 4 <= 0) {
270
+ columns = INT_MAX - 4;
273
endOfBlock = endOfBlockA;
275
@@ -2899,6 +2920,11 @@
278
numComps = str->getChar();
279
+ if (numComps <= 0 || numComps > 4) {
280
+ error(getPos(), "Bad number of components in DCT stream");
285
error(getPos(), "Bad DCT precision %d", prec);
287
@@ -2925,6 +2951,11 @@
290
numComps = str->getChar();
291
+ if (numComps <= 0 || numComps > 4) {
292
+ error(getPos(), "Bad number of components in DCT stream");
297
error(getPos(), "Bad DCT precision %d", prec);
299
@@ -2947,6 +2978,11 @@
301
length = read16() - 2;
302
scanInfo.numComps = str->getChar();
303
+ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
304
+ error(getPos(), "Bad number of components in DCT stream");
305
+ scanInfo.numComps = 0;
309
if (length != 2 * scanInfo.numComps + 3) {
310
error(getPos(), "Bad DCT scan info block");
311
@@ -3041,6 +3077,7 @@
312
numACHuffTables = index+1;
313
tbl = &acHuffTables[index];
316
if (index >= numDCHuffTables)
317
numDCHuffTables = index+1;
318
tbl = &dcHuffTables[index];
319
@@ -3827,6 +3864,10 @@
321
if (predictor != 1) {
322
pred = new StreamPredictor(this, predictor, columns, colors, bits);
323
+ if (!pred->isOk()) {
330
diff -urNad xpdf-3.01~/xpdf/Stream.h xpdf-3.01/xpdf/Stream.h
331
--- xpdf-3.01~/xpdf/Stream.h 2006-02-15 23:57:30.000000000 +1100
332
+++ xpdf-3.01/xpdf/Stream.h 2006-02-16 00:14:28.000000000 +1100
337
+ GBool isOk() { return ok; }
343
int rowBytes; // bytes per line
344
Guchar *predLine; // line buffer
345
int predIdx; // current index in predLine
349
//------------------------------------------------------------------------
351
short getWhiteCode();
352
short getBlackCode();
353
short lookBits(int n);
354
- void eatBits(int n) { inputBits -= n; }
355
+ void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; }
358
//------------------------------------------------------------------------