[poppler] poppler/Hints.cc

Mon Nov 22 14:27:05 PST 2010

poppler/Hints.cc |   26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

New commits:
commit c6127898b13311197971b1c6b1b306b91e28cf0e
Author: Hib Eris <hib at hiberis.nl>
Date:   Mon Nov 22 13:08:48 2010 +0000

    Use gmallocn_checkoverflow when parsing Hints table
    
    Prevents running out of memory with malicious documents.

diff --git a/poppler/Hints.cc b/poppler/Hints.cc
index 7ea9c7b..a730e56 100644
--- a/poppler/Hints.cc
+++ b/poppler/Hints.cc
@@ -47,13 +47,13 @@ Hints::Hints(BaseStream *str, Linearization *linearization, XRef *xref, Security
      error(-1, "Invalid number of pages (%d) for hints table", nPages);
      nPages = 0;
   }
-  nObjects = (Guint *) gmallocn(nPages, sizeof(Guint));
-  pageObjectNum = (int *) gmallocn(nPages, sizeof(int));
-  xRefOffset = (Guint *) gmallocn(nPages, sizeof(Guint));
-  pageLength = (Guint *) gmallocn(nPages, sizeof(Guint));
-  pageOffset = (Guint *) gmallocn(nPages, sizeof(Guint));
-  numSharedObject = (Guint *) gmallocn(nPages, sizeof(Guint));
-  sharedObjectId = (Guint **) gmallocn(nPages, sizeof(Guint*));
+  nObjects = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint));
+  pageObjectNum = (int *) gmallocn_checkoverflow(nPages, sizeof(int));
+  xRefOffset = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint));
+  pageLength = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint));
+  pageOffset = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint));
+  numSharedObject = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint));
+  sharedObjectId = (Guint **) gmallocn_checkoverflow(nPages, sizeof(Guint*));
   if (!nObjects || !pageObjectNum || !xRefOffset || !pageLength || !pageOffset ||
       !numSharedObject || !sharedObjectId) {
     error(-1, "Failed to allocate memory for hints tabel");
@@ -230,7 +230,7 @@ void Hints::readPageOffsetTable(Stream *str)
        numSharedObject[i] = 0;
        return;
     }
-    sharedObjectId[i] = (Guint *) gmallocn(numSharedObject[i], sizeof(Guint));
+    sharedObjectId[i] = (Guint *) gmallocn_checkoverflow(numSharedObject[i], sizeof(Guint));
     if (numSharedObject[i] && !sharedObjectId[i]) {
        error(-1, "Failed to allocate memory for shared object IDs");
        numSharedObject[i] = 0;
@@ -282,11 +282,11 @@ void Hints::readSharedObjectsTable(Stream *str)
      nSharedGroupsFirst = nSharedGroups;
   }
 
-  groupLength = (Guint *) gmallocn(nSharedGroups, sizeof(Guint));
-  groupOffset = (Guint *) gmallocn(nSharedGroups, sizeof(Guint));
-  groupHasSignature = (Guint *) gmallocn(nSharedGroups, sizeof(Guint));
-  groupNumObjects = (Guint *) gmallocn(nSharedGroups, sizeof(Guint));
-  groupXRefOffset = (Guint *) gmallocn(nSharedGroups, sizeof(Guint));
+  groupLength = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint));
+  groupOffset = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint));
+  groupHasSignature = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint));
+  groupNumObjects = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint));
+  groupXRefOffset = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint));
   if (!groupLength || !groupOffset || !groupHasSignature ||
       !groupNumObjects || !groupXRefOffset) {
      error(-1, "Failed to allocate memory for shared object groups");
