]>
Commit | Line | Data |
---|---|---|
1 | --- pdftops/GfxState.cxx.pdftops 2002-12-17 11:41:20.000000000 +0000 | |
2 | +++ pdftops/GfxState.cxx 2002-12-17 14:13:52.000000000 +0000 | |
3 | @@ -12,6 +12,7 @@ | |
4 | ||
5 | #include <config.h> | |
6 | #include <stddef.h> | |
7 | +#include <limits.h> | |
8 | #include <math.h> | |
9 | #include <string.h> // for memcpy() | |
10 | #include "gmem.h" | |
11 | @@ -749,6 +750,7 @@ | |
12 | int indexHighA) { | |
13 | base = baseA; | |
14 | indexHigh = indexHighA; | |
15 | + // Checked in GfxIndexedColorSpace::parse | |
16 | lookup = (Guchar *)gmalloc((indexHigh + 1) * base->getNComps() * | |
17 | sizeof(Guchar)); | |
18 | } | |
19 | @@ -792,9 +794,13 @@ | |
20 | } | |
21 | indexHighA = obj1.getInt(); | |
22 | obj1.free(); | |
23 | + n = baseA->getNComps(); | |
24 | + if ((unsigned int)(indexHighA + 1) >= INT_MAX / (n * sizeof (Guchar))) { | |
25 | + error(-1, "Bad Indexed color space (too high)"); | |
26 | + goto err1; | |
27 | + } | |
28 | cs = new GfxIndexedColorSpace(baseA, indexHighA); | |
29 | arr->get(3, &obj1); | |
30 | - n = baseA->getNComps(); | |
31 | if (obj1.isStream()) { | |
32 | obj1.streamReset(); | |
33 | for (i = 0; i <= indexHighA; ++i) { | |
34 | @@ -1674,6 +1680,8 @@ | |
35 | colorSpace2 = indexedCS->getBase(); | |
36 | indexHigh = indexedCS->getIndexHigh(); | |
37 | nComps2 = colorSpace2->getNComps(); | |
38 | + if ((unsigned int)(indexHigh + 1) >= INT_MAX / (nComps2 * sizeof(double))) | |
39 | + goto err1; | |
40 | lookup = (double *)gmalloc((indexHigh + 1) * nComps2 * sizeof(double)); | |
41 | lookup2 = indexedCS->getLookup(); | |
42 | for (i = 0; i <= indexHigh; ++i) { | |
43 | @@ -1686,6 +1694,8 @@ | |
44 | sepCS = (GfxSeparationColorSpace *)colorSpace; | |
45 | colorSpace2 = sepCS->getAlt(); | |
46 | nComps2 = colorSpace2->getNComps(); | |
47 | + if ((unsigned int)(maxPixel + 1) >= INT_MAX / (nComps2 * sizeof(double))) | |
48 | + goto err1; | |
49 | lookup = (double *)gmalloc((maxPixel + 1) * nComps2 * sizeof(double)); | |
50 | sepFunc = sepCS->getFunc(); | |
51 | for (i = 0; i <= maxPixel; ++i) { | |
52 | @@ -1696,6 +1706,8 @@ | |
53 | } | |
54 | } | |
55 | } else { | |
56 | + if ((unsigned int)(maxPixel + 1) >= INT_MAX / (nComps * sizeof(double))) | |
57 | + goto err1; | |
58 | lookup = (double *)gmalloc((maxPixel + 1) * nComps * sizeof(double)); | |
59 | for (i = 0; i <= maxPixel; ++i) { | |
60 | for (k = 0; k < nComps; ++k) { | |
61 | @@ -1781,6 +1793,7 @@ | |
62 | ||
63 | GfxSubpath::GfxSubpath(double x1, double y1) { | |
64 | size = 16; | |
65 | + // safe | |
66 | x = (double *)gmalloc(size * sizeof(double)); | |
67 | y = (double *)gmalloc(size * sizeof(double)); | |
68 | curve = (GBool *)gmalloc(size * sizeof(GBool)); | |
69 | @@ -1801,6 +1814,7 @@ | |
70 | GfxSubpath::GfxSubpath(GfxSubpath *subpath) { | |
71 | size = subpath->size; | |
72 | n = subpath->n; | |
73 | + // safe (subpath->size is constrained) | |
74 | x = (double *)gmalloc(size * sizeof(double)); | |
75 | y = (double *)gmalloc(size * sizeof(double)); | |
76 | curve = (GBool *)gmalloc(size * sizeof(GBool)); | |
77 | @@ -1812,6 +1826,7 @@ | |
78 | ||
79 | void GfxSubpath::lineTo(double x1, double y1) { | |
80 | if (n >= size) { | |
81 | + if ((unsigned int)(size + 16) >= INT_MAX / sizeof (double)) return; | |
82 | size += 16; | |
83 | x = (double *)grealloc(x, size * sizeof(double)); | |
84 | y = (double *)grealloc(y, size * sizeof(double)); | |
85 | @@ -1826,6 +1841,7 @@ | |
86 | void GfxSubpath::curveTo(double x1, double y1, double x2, double y2, | |
87 | double x3, double y3) { | |
88 | if (n+3 > size) { | |
89 | + if ((unsigned int)(size + 16) >= INT_MAX / sizeof (double)) return; | |
90 | size += 16; | |
91 | x = (double *)grealloc(x, size * sizeof(double)); | |
92 | y = (double *)grealloc(y, size * sizeof(double)); | |
93 | @@ -1854,6 +1870,7 @@ | |
94 | size = 16; | |
95 | n = 0; | |
96 | firstX = firstY = 0; | |
97 | + // safe | |
98 | subpaths = (GfxSubpath **)gmalloc(size * sizeof(GfxSubpath *)); | |
99 | } | |
100 | ||
101 | @@ -1875,6 +1892,7 @@ | |
102 | firstY = firstY1; | |
103 | size = size1; | |
104 | n = n1; | |
105 | + // not sure | |
106 | subpaths = (GfxSubpath **)gmalloc(size * sizeof(GfxSubpath *)); | |
107 | for (i = 0; i < n; ++i) | |
108 | subpaths[i] = subpaths1[i]->copy(); | |
109 | @@ -2063,8 +2081,10 @@ | |
110 | strokePattern = state->strokePattern->copy(); | |
111 | } | |
112 | if (lineDashLength > 0) { | |
113 | - lineDash = (double *)gmalloc(lineDashLength * sizeof(double)); | |
114 | - memcpy(lineDash, state->lineDash, lineDashLength * sizeof(double)); | |
115 | + if (lineDashLength < INT_MAX / sizeof (double)) { | |
116 | + lineDash = (double *)gmalloc(lineDashLength * sizeof(double)); | |
117 | + memcpy(lineDash, state->lineDash, lineDashLength * sizeof(double)); | |
118 | + } | |
119 | } | |
120 | saved = NULL; | |
121 | } |