[poppler] 2 commits - fofi/FoFiTrueType.cc goo/gmem.cc goo/gmem.h poppler/DCTStream.cc

Albert Astals Cid aacid at kemper.freedesktop.org
Sun Sep 28 10:26:41 PDT 2008 

 fofi/FoFiTrueType.cc |    4 ++--
 goo/gmem.cc          |   21 +++++++++++++++++++++
 goo/gmem.h           |    1 +
 poppler/DCTStream.cc |    1 +
 4 files changed, 25 insertions(+), 2 deletions(-)

New commits:
commit 3cb5b7fc5ae168ef58fd1905f61c1b9abe6cb86c
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sun Sep 28 19:25:53 2008 +0200

    Introduce greallocn_checkoverflow and use it in FoFiTrueType::parse
    
    Fixes the other part of bug 17811

diff --git a/fofi/FoFiTrueType.cc b/fofi/FoFiTrueType.cc
index 8502f24..60906ae 100644
--- a/fofi/FoFiTrueType.cc
+++ b/fofi/FoFiTrueType.cc
@@ -1908,8 +1908,8 @@ void FoFiTrueType::parse() {
     pos += 16;
   }
   nTables -= wrongTables;
-  tables = (TrueTypeTable *)greallocn(tables, nTables, sizeof(TrueTypeTable));
-  if (!parsedOk) {
+  tables = (TrueTypeTable *)greallocn_checkoverflow(tables, nTables, sizeof(TrueTypeTable));
+  if (!parsedOk || tables == NULL) {
     return;
   }
 
diff --git a/goo/gmem.cc b/goo/gmem.cc
index a64ddb4..2a638de 100644
--- a/goo/gmem.cc
+++ b/goo/gmem.cc
@@ -227,6 +227,27 @@ void *greallocn(void *p, int nObjs, int objSize) GMEM_EXCEP {
   return grealloc(p, n);
 }
 
+void *greallocn_checkoverflow(void *p, int nObjs, int objSize) GMEM_EXCEP {
+  int n;
+
+  if (nObjs == 0) {
+    if (p) {
+      gfree(p);
+    }
+    return NULL;
+  }
+  n = nObjs * objSize;
+  if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
+#if USE_EXCEPTIONS
+    throw GMemException();
+#else
+    fprintf(stderr, "Bogus memory allocation size\n");
+    return NULL;
+#endif
+  }
+  return grealloc(p, n);
+}
+
 void gfree(void *p) {
 #ifdef DEBUG_MEM
   int size;
diff --git a/goo/gmem.h b/goo/gmem.h
index 760cadc..ff9b24d 100644
--- a/goo/gmem.h
+++ b/goo/gmem.h
@@ -71,6 +71,7 @@ extern void *grealloc(void *p, size_t size) GMEM_EXCEP;
 extern void *gmallocn(int nObjs, int objSize) GMEM_EXCEP;
 extern void *gmallocn_checkoverflow(int nObjs, int objSize) GMEM_EXCEP;
 extern void *greallocn(void *p, int nObjs, int objSize) GMEM_EXCEP;
+extern void *greallocn_checkoverflow(void *p, int nObjs, int objSize) GMEM_EXCEP;
 
 /*
  * Same as free, but checks for and ignores NULL pointers.
commit aa7ef03af49f74ed558dcbab8ad4c594bb2b7d53
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sun Sep 28 19:24:43 2008 +0200

    If libjpeg tells us to abort, let's abort :D
    
    Fixes part of bug 17811

diff --git a/poppler/DCTStream.cc b/poppler/DCTStream.cc
index a9ce8e4..2b4f9c1 100644
--- a/poppler/DCTStream.cc
+++ b/poppler/DCTStream.cc
@@ -19,6 +19,7 @@ static boolean str_fill_input_buffer(j_decompress_ptr cinfo)
 {
   int c;
   struct str_src_mgr * src = (struct str_src_mgr *)cinfo->src;
+  if (src->abort) return FALSE;
   if (src->index == 0) {
     c = 0xFF;
     src->index++;

More information about the poppler mailing list