[poppler] poppler/poppler: JBIG2Stream.cc, 1.1.1.1.2.1, 1.1.1.1.2.2 Stream.cc, 1.3.2.2, 1.3.2.3 Stream.h, 1.3.2.1, 1.3.2.2

Kristian Høgsberg krh at kemper.freedesktop.org
Tue Feb 28 14:14:58 PST 2006 

Update of /cvs/poppler/poppler/poppler
In directory kemper:/tmp/cvs-serv24691/poppler

Modified Files:
      Tag: POPPLER_0_4_X
	JBIG2Stream.cc Stream.cc Stream.h 
Log Message:
2006-02-28  Kristian Høgsberg  <krh at redhat.com>

        * goo/gmem.c: (gmalloc), (grealloc):
        * poppler/JBIG2Stream.cc:
        * poppler/Stream.cc:
        * poppler/Stream.h:
        * splash/SplashXPathScanner.cc:

        More integer overflow fixes from Derek Noonburg (#5922).



Index: JBIG2Stream.cc
===================================================================
RCS file: /cvs/poppler/poppler/poppler/JBIG2Stream.cc,v
retrieving revision 1.1.1.1.2.1
retrieving revision 1.1.1.1.2.2
diff -u -d -r1.1.1.1.2.1 -r1.1.1.1.2.2
--- JBIG2Stream.cc	10 Jan 2006 19:08:16 -0000	1.1.1.1.2.1
+++ JBIG2Stream.cc	28 Feb 2006 22:14:56 -0000	1.1.1.1.2.2
@@ -683,7 +683,7 @@
   h = hA;
   line = (wA + 7) >> 3;
 
-  if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+  if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
     error(-1, "invalid width/height");
     data = NULL;
     return;
@@ -701,7 +701,7 @@
   h = bitmap->h;
   line = bitmap->line;
 
-  if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+  if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
     error(-1, "invalid width/height");
     data = NULL;
     return;
@@ -2268,6 +2268,14 @@
       !readUWord(&stepX) || !readUWord(&stepY)) {
     goto eofError;
   }
+  if (w == 0 || h == 0 || w >= INT_MAX / h) {
+    error(getPos(), "Bad bitmap size in JBIG2 halftone segment");
+    return;
+  }
+  if (gridH == 0 || gridW >= INT_MAX / gridH) {
+    error(getPos(), "Bad grid size in JBIG2 halftone segment");
+    return;
+  }
 
   // get pattern dictionary
   if (nRefSegs != 1) {

Index: Stream.cc
===================================================================
RCS file: /cvs/poppler/poppler/poppler/Stream.cc,v
retrieving revision 1.3.2.2
retrieving revision 1.3.2.3
diff -u -d -r1.3.2.2 -r1.3.2.3
--- Stream.cc	10 Jan 2006 19:08:16 -0000	1.3.2.2
+++ Stream.cc	28 Feb 2006 22:14:56 -0000	1.3.2.3
@@ -426,7 +426,8 @@
 
   if (width <= 0 || nComps <= 0 || nBits <= 0 ||
       nComps >= INT_MAX/nBits ||
-      width >= INT_MAX/nComps/nBits) {
+      width >= INT_MAX/nComps/nBits ||
+      nVals * nBits + 7 < 0) {
     return;
   }
   nVals = width * nComps;
@@ -3078,6 +3079,7 @@
 	numACHuffTables = index+1;
       tbl = &acHuffTables[index];
     } else {
+      index &= 0x0f;
       if (index >= numDCHuffTables)
 	numDCHuffTables = index+1;
       tbl = &dcHuffTables[index];

Index: Stream.h
===================================================================
RCS file: /cvs/poppler/poppler/poppler/Stream.h,v
retrieving revision 1.3.2.1
retrieving revision 1.3.2.2
diff -u -d -r1.3.2.1 -r1.3.2.2
--- Stream.h	12 Dec 2005 22:43:27 -0000	1.3.2.1
+++ Stream.h	28 Feb 2006 22:14:56 -0000	1.3.2.2
@@ -532,7 +532,7 @@
   short getWhiteCode();
   short getBlackCode();
   short lookBits(int n);
-  void eatBits(int n) { inputBits -= n; }
+  void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; }
 };
 
 #ifndef ENABLE_LIBJPEG

More information about the poppler mailing list