[poppler] 2 commits - poppler/Hints.cc poppler/Hints.h
Albert Astals Cid
aacid at kemper.freedesktop.org
Wed Dec 7 21:39:59 UTC 2016
poppler/Hints.cc | 24 ++++++++++++------------
poppler/Hints.h | 1 -
2 files changed, 12 insertions(+), 13 deletions(-)
New commits:
commit 7ac94c8f552f0db13334d4d014cfdb54de72c451
Author: Albert Astals Cid <aacid at kde.org>
Date: Wed Dec 7 22:38:48 2016 +0100
nSharedGroups doesn't need to be a class member
And also mark some variables as const to make it easier to see they don't change
diff --git a/poppler/Hints.cc b/poppler/Hints.cc
index ad670c8..7f11304 100644
--- a/poppler/Hints.cc
+++ b/poppler/Hints.cc
@@ -141,7 +141,6 @@ Hints::Hints(BaseStream *str, Linearization *linearization, XRef *xref, Security
memset(numSharedObject, 0, nPages * sizeof(Guint));
memset(pageObjectNum, 0, nPages * sizeof(int));
- nSharedGroups = 0;
groupLength = NULL;
groupOffset = NULL;
groupHasSignature = NULL;
@@ -351,34 +350,30 @@ GBool Hints::readSharedObjectsTable(Stream *str)
{
StreamBitReader sbr(str);
- Guint firstSharedObjectNumber = sbr.readBits(32);
+ const Guint firstSharedObjectNumber = sbr.readBits(32);
- Guint firstSharedObjectOffset = sbr.readBits(32);
- firstSharedObjectOffset += hintsLength;
+ const Guint firstSharedObjectOffset = sbr.readBits(32) + hintsLength;
- Guint nSharedGroupsFirst = sbr.readBits(32);
+ const Guint nSharedGroupsFirst = sbr.readBits(32);
- Guint nSharedGroups = sbr.readBits(32);
+ const Guint nSharedGroups = sbr.readBits(32);
- Guint nBitsNumObjects = sbr.readBits(16);
+ const Guint nBitsNumObjects = sbr.readBits(16);
- Guint groupLengthLeast = sbr.readBits(32);
+ const Guint groupLengthLeast = sbr.readBits(32);
- Guint nBitsDiffGroupLength = sbr.readBits(16);
+ const Guint nBitsDiffGroupLength = sbr.readBits(16);
if ((!nSharedGroups) || (nSharedGroups >= INT_MAX / (int)sizeof(Guint))) {
error(errSyntaxWarning, -1, "Invalid number of shared object groups");
- nSharedGroups = 0;
return gFalse;
}
if ((!nSharedGroupsFirst) || (nSharedGroupsFirst > nSharedGroups)) {
error(errSyntaxWarning, -1, "Invalid number of first page shared object groups");
- nSharedGroups = 0;
return gFalse;
}
if (nBitsNumObjects > 32 || nBitsDiffGroupLength > 32) {
error(errSyntaxWarning, -1, "Invalid shared object groups bit length");
- nSharedGroups = 0;
return gFalse;
}
@@ -390,7 +385,6 @@ GBool Hints::readSharedObjectsTable(Stream *str)
if (!groupLength || !groupOffset || !groupHasSignature ||
!groupNumObjects || !groupXRefOffset) {
error(errSyntaxWarning, -1, "Failed to allocate memory for shared object groups");
- nSharedGroups = 0;
return gFalse;
}
diff --git a/poppler/Hints.h b/poppler/Hints.h
index d0a2e7d..f9d05da 100644
--- a/poppler/Hints.h
+++ b/poppler/Hints.h
@@ -79,7 +79,6 @@ private:
Guint *numSharedObject;
Guint **sharedObjectId;
- Guint nSharedGroups;
Guint *groupLength;
Guint *groupOffset;
Guint *groupHasSignature;
commit 4c4b913802c79eb8bf9c0ce72a08842851f1c5bc
Author: Jeffrey Morlan <jmmorlan at sonic.net>
Date: Wed Dec 7 22:36:26 2016 +0100
Bail out if nBitsNumObjects or nBitsDiffGroupLength are greater than 32
Bug #94941
diff --git a/poppler/Hints.cc b/poppler/Hints.cc
index 4cca2c8..ad670c8 100644
--- a/poppler/Hints.cc
+++ b/poppler/Hints.cc
@@ -9,6 +9,7 @@
// Copyright 2010, 2013 Pino Toscano <pino at kde.org>
// Copyright 2013 Adrian Johnson <ajohnson at redneon.com>
// Copyright 2014 Fabio D'Urso <fabiodurso at hotmail.it>
+// Copyright 2016 Jeffrey Morlan <jmmorlan at sonic.net>
//
//========================================================================
@@ -375,6 +376,11 @@ GBool Hints::readSharedObjectsTable(Stream *str)
nSharedGroups = 0;
return gFalse;
}
+ if (nBitsNumObjects > 32 || nBitsDiffGroupLength > 32) {
+ error(errSyntaxWarning, -1, "Invalid shared object groups bit length");
+ nSharedGroups = 0;
+ return gFalse;
+ }
groupLength = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint));
groupOffset = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint));
More information about the poppler
mailing list