[poppler] xpdf problems in Function.cc and GfxState.cc
Albert Astals Cid
aacid at kde.org
Sun Apr 23 08:44:01 PDT 2006
Hi, recently Christoph Bartoschek has been analyzing KDE code with some static
code checker he can not name.
Recently he run the checker on KPDF's embeded xpdf source code and reported
some "possible problems", i've checked most of them and are due to
"complicated code" and the code checker not beign able to understand it, but
i think it may have found 2 "real" possible problems.
First one is on Function.cc where there's a
i2 = stack->popInt();
i1 = stack->popInt();
if (i2 > 0) {
stack->pushInt(i1 << i2);
} else if (i2 < 0) {
stack->pushInt((int)((Guint)i1 >> i2)); <------------
} else {
stack->pushInt(i1);
}
The problem is that shifting negative values is not correct, so maybe that
should be rewriten as
stack->pushInt((int)((Guint)i1 << -i2));
?
The second one is on xpdf/xpdf/GfxState.cc in GfxColorSpace
*GfxICCBasedColorSpace::parse(Array *arr)
nCompsA can be up to 32 according to check
if (nCompsA > gfxColorMaxComps)
But if the value is
bigger than 3 then here is an out of bounds access in
cs->rangeMin[i] = obj3.getNum();
should
for (i = 0; i < nCompsA; ++i) {
be changed to
for (i = 0; i < nCompsA && i < 4; ++i) {
Albert
______________________________________________
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com
More information about the poppler
mailing list