Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/kde-base/kpdf/files/post-3.5.0-kdegraphics-CAN-2005-3193.diff
diff options
context:
space:
mode:
Diffstat (limited to 'kde-base/kpdf/files/post-3.5.0-kdegraphics-CAN-2005-3193.diff')
-rw-r--r--kde-base/kpdf/files/post-3.5.0-kdegraphics-CAN-2005-3193.diff287
1 files changed, 0 insertions, 287 deletions
diff --git a/kde-base/kpdf/files/post-3.5.0-kdegraphics-CAN-2005-3193.diff b/kde-base/kpdf/files/post-3.5.0-kdegraphics-CAN-2005-3193.diff
deleted file mode 100644
index 0b6f22303de8..000000000000
--- a/kde-base/kpdf/files/post-3.5.0-kdegraphics-CAN-2005-3193.diff
+++ /dev/null
@@ -1,287 +0,0 @@
-Index: kpdf/xpdf/xpdf/JBIG2Stream.cc
-===================================================================
---- kpdf/xpdf/xpdf/JBIG2Stream.cc (revision 481099)
-+++ kpdf/xpdf/xpdf/JBIG2Stream.cc (revision 488715)
-@@ -7,6 +7,7 @@
- //========================================================================
-
- #include <aconf.h>
-+#include <limits.h>
-
- #ifdef USE_GCC_PRAGMAS
- #pragma implementation
-@@ -681,6 +682,12 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
- w = wA;
- h = hA;
- line = (wA + 7) >> 3;
-+
-+ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line ) {
-+ data = NULL;
-+ return;
-+ }
-+
- // need to allocate one extra guard byte for use in combine()
- data = (Guchar *)gmalloc(h * line + 1);
- data[h * line] = 0;
-@@ -692,6 +699,12 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
- w = bitmap->w;
- h = bitmap->h;
- line = bitmap->line;
-+
-+ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
-+ data = NULL;
-+ return;
-+ }
-+
- // need to allocate one extra guard byte for use in combine()
- data = (Guchar *)gmalloc(h * line + 1);
- memcpy(data, bitmap->data, h * line);
-@@ -720,7 +733,8 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint
- }
-
- void JBIG2Bitmap::expand(int newH, Guint pixel) {
-- if (newH <= h) {
-+
-+ if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) {
- return;
- }
- // need to allocate one extra guard byte for use in combine()
-@@ -2305,6 +2319,15 @@ void JBIG2Stream::readHalftoneRegionSeg(
- error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
- return;
- }
-+ if (gridH == 0 || gridW >= INT_MAX / gridH) {
-+ error(getPos(), "Bad size in JBIG2 halftone segment");
-+ return;
-+ }
-+ if (h < 0 || w == 0 || h >= INT_MAX / w) {
-+ error(getPos(), "Bad size in JBIG2 bitmap segment");
-+ return;
-+ }
-+
- patternDict = (JBIG2PatternDict *)seg;
- bpp = 0;
- i = 1;
-@@ -2936,6 +2959,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef
- JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
- int x, y, pix;
-
-+ if (w < 0 || h <= 0 || w >= INT_MAX / h)
-+ return NULL;
-+
- bitmap = new JBIG2Bitmap(0, w, h);
- bitmap->clearToZero();
-
-Index: kpdf/xpdf/xpdf/Stream.cc
-===================================================================
---- kpdf/xpdf/xpdf/Stream.cc (revision 481099)
-+++ kpdf/xpdf/xpdf/Stream.cc (revision 488715)
-@@ -15,6 +15,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <stddef.h>
-+#include <limits.h>
- #ifndef WIN32
- #include <unistd.h>
- #endif
-@@ -408,13 +409,27 @@ StreamPredictor::StreamPredictor(Stream
- width = widthA;
- nComps = nCompsA;
- nBits = nBitsA;
-+ predLine = NULL;
-+ ok = gFalse;
-+
-+ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
-+ nComps >= INT_MAX / nBits ||
-+ width >= INT_MAX / nComps / nBits)
-+ return;
-
- nVals = width * nComps;
-+ if (nVals * nBits + 7 <= 0)
-+ return;
- pixBytes = (nComps * nBits + 7) >> 3;
- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
-+ if (rowBytes < 0)
-+ return;
-+
- predLine = (Guchar *)gmalloc(rowBytes);
- memset(predLine, 0, rowBytes);
- predIdx = rowBytes;
-+
-+ ok = gTrue;
- }
-
- StreamPredictor::~StreamPredictor() {
-@@ -1006,6 +1021,10 @@ LZWStream::LZWStream(Stream *strA, int p
- FilterStream(strA) {
- if (predictor != 1) {
- pred = new StreamPredictor(this, predictor, columns, colors, bits);
-+ if (!pred->isOk()) {
-+ delete pred;
-+ pred = NULL;
-+ }
- } else {
- pred = NULL;
- }
-@@ -1258,8 +1277,9 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
- endOfLine = endOfLineA;
- byteAlign = byteAlignA;
- columns = columnsA;
-- if (columns < 1) {
-- columns = 1;
-+ if (columns < 1 || columns >= INT_MAX / sizeof(short)) {
-+ error(getPos(), "Bad number of columns in CCITTFaxStream");
-+ exit(1);
- }
- rows = rowsA;
- endOfBlock = endOfBlockA;
-@@ -2903,7 +2923,12 @@ GBool DCTStream::readBaselineSOF() {
- height = read16();
- width = read16();
- numComps = str->getChar();
-- if (prec != 8) {
-+ if (numComps <= 0 || numComps > 4) {
-+ numComps = 0;
-+ error(getPos(), "Bad number of components in DCT stream", prec);
-+ return gFalse;
-+ }
-+ if (prec != 8) {
- error(getPos(), "Bad DCT precision %d", prec);
- return gFalse;
- }
-@@ -2929,6 +2954,11 @@ GBool DCTStream::readProgressiveSOF() {
- height = read16();
- width = read16();
- numComps = str->getChar();
-+ if (numComps <= 0 || numComps > 4) {
-+ numComps = 0;
-+ error(getPos(), "Bad number of components in DCT stream");
-+ return gFalse;
-+ }
- if (prec != 8) {
- error(getPos(), "Bad DCT precision %d", prec);
- return gFalse;
-@@ -2951,6 +2981,11 @@ GBool DCTStream::readScanInfo() {
-
- length = read16() - 2;
- scanInfo.numComps = str->getChar();
-+ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
-+ scanInfo.numComps = 0;
-+ error(getPos(), "Bad number of components in DCT stream");
-+ return gFalse;
-+ }
- --length;
- if (length != 2 * scanInfo.numComps + 3) {
- error(getPos(), "Bad DCT scan info block");
-@@ -3035,12 +3070,12 @@ GBool DCTStream::readHuffmanTables() {
- while (length > 0) {
- index = str->getChar();
- --length;
-- if ((index & 0x0f) >= 4) {
-+ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
- error(getPos(), "Bad DCT Huffman table");
- return gFalse;
- }
- if (index & 0x10) {
-- index &= 0x0f;
-+ index &= 0x03;
- if (index >= numACHuffTables)
- numACHuffTables = index+1;
- tbl = &acHuffTables[index];
-@@ -3833,6 +3868,10 @@ FlateStream::FlateStream(Stream *strA, i
- FilterStream(strA) {
- if (predictor != 1) {
- pred = new StreamPredictor(this, predictor, columns, colors, bits);
-+ if (!pred->isOk()) {
-+ delete pred;
-+ pred = NULL;
-+ }
- } else {
- pred = NULL;
- }
-Index: kpdf/xpdf/xpdf/Stream.h
-===================================================================
---- kpdf/xpdf/xpdf/Stream.h (revision 481099)
-+++ kpdf/xpdf/xpdf/Stream.h (revision 488715)
-@@ -232,6 +232,8 @@ public:
-
- ~StreamPredictor();
-
-+ GBool isOk() { return ok; }
-+
- int lookChar();
- int getChar();
-
-@@ -249,6 +251,7 @@ private:
- int rowBytes; // bytes per line
- Guchar *predLine; // line buffer
- int predIdx; // current index in predLine
-+ GBool ok;
- };
-
- //------------------------------------------------------------------------
---- kpdf/xpdf/xpdf/JPXStream.cc (revision 481099)
-+++ kpdf/xpdf/xpdf/JPXStream.cc (revision 488715)
-@@ -7,6 +7,7 @@
- //========================================================================
-
- #include <aconf.h>
-+#include <limits.h>
-
- #ifdef USE_GCC_PRAGMAS
- #pragma implementation
-@@ -783,7 +784,7 @@ GBool JPXStream::readCodestream(Guint /*
- int segType;
- GBool haveSIZ, haveCOD, haveQCD, haveSOT;
- Guint precinctSize, style;
-- Guint segLen, capabilities, comp, i, j, r;
-+ Guint segLen, capabilities, nTiles, comp, i, j, r;
-
- //----- main header
- haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
-@@ -818,8 +819,13 @@ GBool JPXStream::readCodestream(Guint /*
- / img.xTileSize;
- img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
- / img.yTileSize;
-- img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles,
-- sizeof(JPXTile));
-+ nTiles = img.nXTiles * img.nYTiles;
-+ // check for overflow before allocating memory
-+ if (img.nXTiles <= 0 || img.nYTiles <= 0 || img.nXTiles >= INT_MAX / img.nYTiles) {
-+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
-+ return gFalse;
-+ }
-+ img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
- for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
- img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps,
- sizeof(JPXTileComp));
-Index: kpdf/xpdf/goo/gmem.c
-===================================================================
---- kpdf/xpdf/goo/gmem.c (revision 481099)
-+++ kpdf/xpdf/goo/gmem.c (revision 488715)
-@@ -11,6 +11,7 @@
- #include <stdlib.h>
- #include <stddef.h>
- #include <string.h>
-+#include <limits.h>
- #include "gmem.h"
-
- #ifdef DEBUG_MEM
-@@ -141,7 +142,7 @@ void *gmallocn(int nObjs, int objSize) {
- int n;
-
- n = nObjs * objSize;
-- if (objSize == 0 || n / objSize != nObjs) {
-+ if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
- fprintf(stderr, "Bogus memory allocation size\n");
- exit(1);
- }
-@@ -152,7 +153,7 @@ void *greallocn(void *p, int nObjs, int
- int n;
-
- n = nObjs * objSize;
-- if (objSize == 0 || n / objSize != nObjs) {
-+ if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
- fprintf(stderr, "Bogus memory allocation size\n");
- exit(1);
- }