[poppler] poppler/poppler: JBIG2Stream.cc, 1.6, 1.7 Stream.cc, 1.11, 1.12 Stream.h, 1.8, 1.9

Kristian Høgsberg krh at kemper.freedesktop.org
Tue Feb 28 12:00:00 PST 2006 

Update of /cvs/poppler/poppler/poppler
In directory kemper:/tmp/cvs-serv22635/poppler

Modified Files:
	JBIG2Stream.cc Stream.cc Stream.h 
Log Message:
2006-02-28  Kristian Høgsberg  <krh at redhat.com>

        * goo/gmem.c: (gmalloc), (grealloc):
        * poppler/JBIG2Stream.cc:
        * poppler/Stream.cc:
        * poppler/Stream.h:
        * splash/SplashXPathScanner.cc:

        More integer overflow fixes from Derek Noonburg (#5922).



Index: JBIG2Stream.cc
===================================================================
RCS file: /cvs/poppler/poppler/poppler/JBIG2Stream.cc,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -d -r1.6 -r1.7
--- JBIG2Stream.cc	6 Feb 2006 18:50:11 -0000	1.6
+++ JBIG2Stream.cc	28 Feb 2006 19:59:58 -0000	1.7
@@ -683,7 +683,7 @@
   h = hA;
   line = (wA + 7) >> 3;
 
-  if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+  if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
     error(-1, "invalid width/height");
     data = NULL;
     return;
@@ -700,7 +700,7 @@
   h = bitmap->h;
   line = bitmap->line;
 
-  if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+  if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
     error(-1, "invalid width/height");
     data = NULL;
     return;
@@ -2310,6 +2310,14 @@
       !readUWord(&stepX) || !readUWord(&stepY)) {
     goto eofError;
   }
+  if (w == 0 || h == 0 || w >= INT_MAX / h) {
+    error(getPos(), "Bad bitmap size in JBIG2 halftone segment");
+    return;
+  }
+  if (gridH == 0 || gridW >= INT_MAX / gridH) {
+    error(getPos(), "Bad grid size in JBIG2 halftone segment");
+    return;
+  }
 
   // get pattern dictionary
   if (nRefSegs != 1) {

Index: Stream.cc
===================================================================
RCS file: /cvs/poppler/poppler/poppler/Stream.cc,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -d -r1.11 -r1.12
--- Stream.cc	18 Jan 2006 22:32:13 -0000	1.11
+++ Stream.cc	28 Feb 2006 19:59:58 -0000	1.12
@@ -421,6 +421,12 @@
   predLine = NULL;
   ok = gFalse;
 
+  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+      nComps >= INT_MAX/nBits ||
+      width >= INT_MAX/nComps/nBits ||
+      nVals * nBits + 7 < 0) {
+    return;
+  }
   nVals = width * nComps;
   totalBits = nVals * nBits;
   if (totalBits == 0 ||
@@ -3082,6 +3088,7 @@
 	numACHuffTables = index+1;
       tbl = &acHuffTables[index];
     } else {
+      index &= 0x0f;
       if (index >= numDCHuffTables)
 	numDCHuffTables = index+1;
       tbl = &dcHuffTables[index];

Index: Stream.h
===================================================================
RCS file: /cvs/poppler/poppler/poppler/Stream.h,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -d -r1.8 -r1.9
--- Stream.h	1 Dec 2005 22:45:10 -0000	1.8
+++ Stream.h	28 Feb 2006 19:59:58 -0000	1.9
@@ -528,7 +528,7 @@
   short getWhiteCode();
   short getBlackCode();
   short lookBits(int n);
-  void eatBits(int n) { inputBits -= n; }
+  void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; }
 };
 
 #ifndef ENABLE_LIBJPEG

More information about the poppler mailing list