--- pdftops/GfxState.cxx.pdftops 2002-12-17 11:41:20.000000000 +0000 +++ pdftops/GfxState.cxx 2002-12-17 14:13:52.000000000 +0000 @@ -12,6 +12,7 @@ #include #include +#include #include #include // for memcpy() #include "gmem.h" @@ -749,6 +750,7 @@ int indexHighA) { base = baseA; indexHigh = indexHighA; + // Checked in GfxIndexedColorSpace::parse lookup = (Guchar *)gmalloc((indexHigh + 1) * base->getNComps() * sizeof(Guchar)); } @@ -792,9 +794,13 @@ } indexHighA = obj1.getInt(); obj1.free(); + n = baseA->getNComps(); + if ((unsigned int)(indexHighA + 1) >= INT_MAX / (n * sizeof (Guchar))) { + error(-1, "Bad Indexed color space (too high)"); + goto err1; + } cs = new GfxIndexedColorSpace(baseA, indexHighA); arr->get(3, &obj1); - n = baseA->getNComps(); if (obj1.isStream()) { obj1.streamReset(); for (i = 0; i <= indexHighA; ++i) { @@ -1674,6 +1680,8 @@ colorSpace2 = indexedCS->getBase(); indexHigh = indexedCS->getIndexHigh(); nComps2 = colorSpace2->getNComps(); + if ((unsigned int)(indexHigh + 1) >= INT_MAX / (nComps2 * sizeof(double))) + goto err1; lookup = (double *)gmalloc((indexHigh + 1) * nComps2 * sizeof(double)); lookup2 = indexedCS->getLookup(); for (i = 0; i <= indexHigh; ++i) { @@ -1686,6 +1694,8 @@ sepCS = (GfxSeparationColorSpace *)colorSpace; colorSpace2 = sepCS->getAlt(); nComps2 = colorSpace2->getNComps(); + if ((unsigned int)(maxPixel + 1) >= INT_MAX / (nComps2 * sizeof(double))) + goto err1; lookup = (double *)gmalloc((maxPixel + 1) * nComps2 * sizeof(double)); sepFunc = sepCS->getFunc(); for (i = 0; i <= maxPixel; ++i) { @@ -1696,6 +1706,8 @@ } } } else { + if ((unsigned int)(maxPixel + 1) >= INT_MAX / (nComps * sizeof(double))) + goto err1; lookup = (double *)gmalloc((maxPixel + 1) * nComps * sizeof(double)); for (i = 0; i <= maxPixel; ++i) { for (k = 0; k < nComps; ++k) { @@ -1781,6 +1793,7 @@ GfxSubpath::GfxSubpath(double x1, double y1) { size = 16; + // safe x = (double *)gmalloc(size * sizeof(double)); y = (double *)gmalloc(size * sizeof(double)); curve = (GBool *)gmalloc(size * sizeof(GBool)); @@ -1801,6 +1814,7 @@ GfxSubpath::GfxSubpath(GfxSubpath *subpath) { size = subpath->size; n = subpath->n; + // safe (subpath->size is constrained) x = (double *)gmalloc(size * sizeof(double)); y = (double *)gmalloc(size * sizeof(double)); curve = (GBool *)gmalloc(size * sizeof(GBool)); @@ -1812,6 +1826,7 @@ void GfxSubpath::lineTo(double x1, double y1) { if (n >= size) { + if ((unsigned int)(size + 16) >= INT_MAX / sizeof (double)) return; size += 16; x = (double *)grealloc(x, size * sizeof(double)); y = (double *)grealloc(y, size * sizeof(double)); @@ -1826,6 +1841,7 @@ void GfxSubpath::curveTo(double x1, double y1, double x2, double y2, double x3, double y3) { if (n+3 > size) { + if ((unsigned int)(size + 16) >= INT_MAX / sizeof (double)) return; size += 16; x = (double *)grealloc(x, size * sizeof(double)); y = (double *)grealloc(y, size * sizeof(double)); @@ -1854,6 +1870,7 @@ size = 16; n = 0; firstX = firstY = 0; + // safe subpaths = (GfxSubpath **)gmalloc(size * sizeof(GfxSubpath *)); } @@ -1875,6 +1892,7 @@ firstY = firstY1; size = size1; n = n1; + // not sure subpaths = (GfxSubpath **)gmalloc(size * sizeof(GfxSubpath *)); for (i = 0; i < n; ++i) subpaths[i] = subpaths1[i]->copy(); @@ -2063,8 +2081,10 @@ strokePattern = state->strokePattern->copy(); } if (lineDashLength > 0) { - lineDash = (double *)gmalloc(lineDashLength * sizeof(double)); - memcpy(lineDash, state->lineDash, lineDashLength * sizeof(double)); + if (lineDashLength < INT_MAX / sizeof (double)) { + lineDash = (double *)gmalloc(lineDashLength * sizeof(double)); + memcpy(lineDash, state->lineDash, lineDashLength * sizeof(double)); + } } saved = NULL; }