[poppler] poppler/Hints.cc
Albert Astals Cid
aacid at kemper.freedesktop.org
Mon Nov 22 14:27:05 PST 2010
poppler/Hints.cc | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
New commits:
commit c6127898b13311197971b1c6b1b306b91e28cf0e
Author: Hib Eris <hib at hiberis.nl>
Date: Mon Nov 22 13:08:48 2010 +0000
Use gmallocn_checkoverflow when parsing Hints table
Prevents running out of memory with malicious documents.
diff --git a/poppler/Hints.cc b/poppler/Hints.cc
index 7ea9c7b..a730e56 100644
--- a/poppler/Hints.cc
+++ b/poppler/Hints.cc
@@ -47,13 +47,13 @@ Hints::Hints(BaseStream *str, Linearization *linearization, XRef *xref, Security
error(-1, "Invalid number of pages (%d) for hints table", nPages);
nPages = 0;
}
- nObjects = (Guint *) gmallocn(nPages, sizeof(Guint));
- pageObjectNum = (int *) gmallocn(nPages, sizeof(int));
- xRefOffset = (Guint *) gmallocn(nPages, sizeof(Guint));
- pageLength = (Guint *) gmallocn(nPages, sizeof(Guint));
- pageOffset = (Guint *) gmallocn(nPages, sizeof(Guint));
- numSharedObject = (Guint *) gmallocn(nPages, sizeof(Guint));
- sharedObjectId = (Guint **) gmallocn(nPages, sizeof(Guint*));
+ nObjects = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint));
+ pageObjectNum = (int *) gmallocn_checkoverflow(nPages, sizeof(int));
+ xRefOffset = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint));
+ pageLength = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint));
+ pageOffset = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint));
+ numSharedObject = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint));
+ sharedObjectId = (Guint **) gmallocn_checkoverflow(nPages, sizeof(Guint*));
if (!nObjects || !pageObjectNum || !xRefOffset || !pageLength || !pageOffset ||
!numSharedObject || !sharedObjectId) {
error(-1, "Failed to allocate memory for hints tabel");
@@ -230,7 +230,7 @@ void Hints::readPageOffsetTable(Stream *str)
numSharedObject[i] = 0;
return;
}
- sharedObjectId[i] = (Guint *) gmallocn(numSharedObject[i], sizeof(Guint));
+ sharedObjectId[i] = (Guint *) gmallocn_checkoverflow(numSharedObject[i], sizeof(Guint));
if (numSharedObject[i] && !sharedObjectId[i]) {
error(-1, "Failed to allocate memory for shared object IDs");
numSharedObject[i] = 0;
@@ -282,11 +282,11 @@ void Hints::readSharedObjectsTable(Stream *str)
nSharedGroupsFirst = nSharedGroups;
}
- groupLength = (Guint *) gmallocn(nSharedGroups, sizeof(Guint));
- groupOffset = (Guint *) gmallocn(nSharedGroups, sizeof(Guint));
- groupHasSignature = (Guint *) gmallocn(nSharedGroups, sizeof(Guint));
- groupNumObjects = (Guint *) gmallocn(nSharedGroups, sizeof(Guint));
- groupXRefOffset = (Guint *) gmallocn(nSharedGroups, sizeof(Guint));
+ groupLength = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint));
+ groupOffset = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint));
+ groupHasSignature = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint));
+ groupNumObjects = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint));
+ groupXRefOffset = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint));
if (!groupLength || !groupOffset || !groupHasSignature ||
!groupNumObjects || !groupXRefOffset) {
error(-1, "Failed to allocate memory for shared object groups");
More information about the poppler
mailing list