[poppler] Branch 'poppler-0.26' - splash/SplashXPathScanner.cc splash/SplashXPathScanner.h

[Albert Astals Cid]

 splash/SplashXPathScanner.cc |   25 +++++++++++++++++--------
 splash/SplashXPathScanner.h  |    2 +-
 2 files changed, 18 insertions(+), 9 deletions(-)

New commits:
commit 1161e728de9ca7c9a5fb0e24c4a5e4a79c65a849
Author: Thomas Freitag <Thomas.Freitag at alfa.de>
Date:   Sat Jul 12 17:04:42 2014 +0200

    Error out instead of exiting if allInter grows too much
    
    Bug #78714

diff --git a/splash/SplashXPathScanner.cc b/splash/SplashXPathScanner.cc
index 52ac1c2..5ca1811 100644
--- a/splash/SplashXPathScanner.cc
+++ b/splash/SplashXPathScanner.cc
@@ -272,8 +272,9 @@ void SplashXPathScanner::computeIntersections() {
     if (seg->flags & splashXPathHoriz) {
       y = splashFloor(seg->y0);
       if (y >= yMin && y <= yMax) {
-	addIntersection(segYMin, segYMax, seg->flags,
-			y, splashFloor(seg->x0), splashFloor(seg->x1));
+	if (!addIntersection(segYMin, segYMax, seg->flags,
+			y, splashFloor(seg->x0), splashFloor(seg->x1)))
+          break;
       }
     } else if (seg->flags & splashXPathVert) {
       y0 = splashFloor(segYMin);
@@ -286,7 +287,8 @@ void SplashXPathScanner::computeIntersections() {
       }
       x = splashFloor(seg->x0);
       for (y = y0; y <= y1; ++y) {
-	addIntersection(segYMin, segYMax, seg->flags, y, x, x);
+	if (!addIntersection(segYMin, segYMax, seg->flags, y, x, x))
+          break;
       }
     } else {
       if (seg->x0 < seg->x1) {
@@ -321,8 +323,9 @@ void SplashXPathScanner::computeIntersections() {
 	} else if (xx1 > segXMax) {
 	  xx1 = segXMax;
 	}
-	addIntersection(segYMin, segYMax, seg->flags, y,
-			splashFloor(xx0), splashFloor(xx1));
+	if (!addIntersection(segYMin, segYMax, seg->flags, y,
+			splashFloor(xx0), splashFloor(xx1)))
+          break;
       }
     }
   }
@@ -340,12 +343,17 @@ void SplashXPathScanner::computeIntersections() {
   inter[yMax - yMin + 1] = i;
 }
 
-void SplashXPathScanner::addIntersection(double segYMin, double segYMax,
+GBool SplashXPathScanner::addIntersection(double segYMin, double segYMax,
 					 Guint segFlags,
 					 int y, int x0, int x1) {
   if (allInterLen == allInterSize) {
-    allInterSize *= 2;
-    allInter = (SplashIntersect *)greallocn(allInter, allInterSize,
+    unsigned int newInterSize = ((unsigned int) allInterSize * 2 > INT_MAX / sizeof(SplashIntersect)) ? allInterSize + 32768 : allInterSize * 2;
+    if (newInterSize >= INT_MAX / sizeof(SplashIntersect)) {
+      error(errInternal, -1, "Bogus memory allocation size in SplashXPathScanner::addIntersection {0:d}", newInterSize);
+      return gFalse;
+    }
+    allInterSize = newInterSize;
+    allInter = (SplashIntersect *)greallocn(allInter, newInterSize,
 					    sizeof(SplashIntersect));
   }
   allInter[allInterLen].y = y;
@@ -365,6 +373,7 @@ void SplashXPathScanner::addIntersection(double segYMin, double segYMax,
     allInter[allInterLen].count = 0;
   }
   ++allInterLen;
+  return gTrue;
 }
 
 void SplashXPathScanner::renderAALine(SplashBitmap *aaBuf,
diff --git a/splash/SplashXPathScanner.h b/splash/SplashXPathScanner.h
index b59e306..53bd22d 100644
--- a/splash/SplashXPathScanner.h
+++ b/splash/SplashXPathScanner.h
@@ -85,7 +85,7 @@ public:
 private:
 
   void computeIntersections();
-  void addIntersection(double segYMin, double segYMax,
+  GBool addIntersection(double segYMin, double segYMax,
 		       Guint segFlags,
 		       int y, int x0, int x1);