*** XRef.cc.orig Thu Jul 22 11:04:22 2004 --- XRef.cc Thu Jul 22 11:04:31 2004 *************** *** 96,102 **** } nObjects = obj1.getInt(); obj1.free(); ! if (nObjects == 0) { goto err1; } --- 96,102 ---- } nObjects = obj1.getInt(); obj1.free(); ! if (nObjects <= 0) { goto err1; } *************** *** 106,111 **** --- 106,114 ---- } first = obj1.getInt(); obj1.free(); + if (first < 0) { + goto err1; + } objs = new Object[nObjects]; objNums = (int *)gmalloc(nObjects * sizeof(int)); *************** *** 130,135 **** --- 133,144 ---- offsets[i] = obj2.getInt(); obj1.free(); obj2.free(); + if (objNums[i] < 0 || offsets[i] < 0 || + (i > 0 && offsets[i] < offsets[i-1])) { + delete parser; + gfree(offsets); + goto err1; + } } while (str->getChar() != EOF) ; delete parser; *************** *** 369,378 **** } n = obj.getInt(); obj.free(); if (first + n > size) { for (newSize = size ? 2 * size : 1024; ! first + n > newSize; newSize <<= 1) ; entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; --- 378,393 ---- } n = obj.getInt(); obj.free(); + if (first < 0 || n < 0 || first + n < 0) { + goto err1; + } if (first + n > size) { for (newSize = size ? 2 * size : 1024; ! first + n > newSize && newSize > 0; newSize <<= 1) ; + if (newSize < 0) { + goto err1; + } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; *************** *** 443,449 **** // check for an 'XRefStm' key if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) { ! pos2 = obj2.getInt(); readXRef(&pos2); if (!ok) { goto err1; --- 458,464 ---- // check for an 'XRefStm' key if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) { ! pos2 = (Guint)obj2.getInt(); readXRef(&pos2); if (!ok) { goto err1; *************** *** 474,479 **** --- 489,497 ---- } newSize = obj.getInt(); obj.free(); + if (newSize < 0) { + goto err1; + } if (newSize > size) { entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { *************** *** 494,499 **** --- 512,520 ---- } w[i] = obj2.getInt(); obj2.free(); + if (w[i] < 0 || w[i] > 4) { + goto err1; + } } obj.free(); *************** *** 513,525 **** } n = obj.getInt(); obj.free(); ! if (!readXRefStreamSection(xrefStr, w, first, n)) { idx.free(); goto err0; } } } else { ! if (!readXRefStreamSection(xrefStr, w, 0, size)) { idx.free(); goto err0; } --- 534,547 ---- } n = obj.getInt(); obj.free(); ! if (first < 0 || n < 0 || ! !readXRefStreamSection(xrefStr, w, first, n)) { idx.free(); goto err0; } } } else { ! if (!readXRefStreamSection(xrefStr, w, 0, newSize)) { idx.free(); goto err0; } *************** *** 551,560 **** Guint offset; int type, gen, c, newSize, i, j; if (first + n > size) { for (newSize = size ? 2 * size : 1024; ! first + n > newSize; newSize <<= 1) ; entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; --- 573,588 ---- Guint offset; int type, gen, c, newSize, i, j; + if (first + n < 0) { + return gFalse; + } if (first + n > size) { for (newSize = size ? 2 * size : 1024; ! first + n > newSize && newSize > 0; newSize <<= 1) ; + if (newSize < 0) { + return gFalse; + } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; *************** *** 585,608 **** } gen = (gen << 8) + c; } ! switch (type) { ! case 0: ! entries[i].offset = offset; ! entries[i].gen = gen; ! entries[i].type = xrefEntryFree; ! break; ! case 1: ! entries[i].offset = offset; ! entries[i].gen = gen; ! entries[i].type = xrefEntryUncompressed; ! break; ! case 2: ! entries[i].offset = offset; ! entries[i].gen = gen; ! entries[i].type = xrefEntryCompressed; ! break; ! default: ! return gFalse; } } --- 613,638 ---- } gen = (gen << 8) + c; } ! if (entries[i].offset == 0xffffffff) { ! switch (type) { ! case 0: ! entries[i].offset = offset; ! entries[i].gen = gen; ! entries[i].type = xrefEntryFree; ! break; ! case 1: ! entries[i].offset = offset; ! entries[i].gen = gen; ! entries[i].type = xrefEntryUncompressed; ! break; ! case 2: ! entries[i].offset = offset; ! entries[i].gen = gen; ! entries[i].type = xrefEntryCompressed; ! break; ! default: ! return gFalse; ! } } } *************** *** 664,701 **** // look for object } else if (isdigit(*p)) { num = atoi(p); ! do { ! ++p; ! } while (*p && isdigit(*p)); ! if (isspace(*p)) { do { ++p; ! } while (*p && isspace(*p)); ! if (isdigit(*p)) { ! gen = atoi(p); do { ++p; ! } while (*p && isdigit(*p)); ! if (isspace(*p)) { do { ++p; ! } while (*p && isspace(*p)); ! if (!strncmp(p, "obj", 3)) { ! if (num >= size) { ! newSize = (num + 1 + 255) & ~255; ! entries = (XRefEntry *) ! grealloc(entries, newSize * sizeof(XRefEntry)); ! for (i = size; i < newSize; ++i) { ! entries[i].offset = 0xffffffff; ! entries[i].type = xrefEntryFree; } - size = newSize; - } - if (entries[num].type == xrefEntryFree || - gen >= entries[num].gen) { - entries[num].offset = pos - start; - entries[num].gen = gen; - entries[num].type = xrefEntryUncompressed; } } } --- 694,737 ---- // look for object } else if (isdigit(*p)) { num = atoi(p); ! if (num > 0) { do { ++p; ! } while (*p && isdigit(*p)); ! if (isspace(*p)) { do { ++p; ! } while (*p && isspace(*p)); ! if (isdigit(*p)) { ! gen = atoi(p); do { ++p; ! } while (*p && isdigit(*p)); ! if (isspace(*p)) { ! do { ! ++p; ! } while (*p && isspace(*p)); ! if (!strncmp(p, "obj", 3)) { ! if (num >= size) { ! newSize = (num + 1 + 255) & ~255; ! if (newSize < 0) { ! error(-1, "Bad object number"); ! return gFalse; ! } ! entries = (XRefEntry *) ! grealloc(entries, newSize * sizeof(XRefEntry)); ! for (i = size; i < newSize; ++i) { ! entries[i].offset = 0xffffffff; ! entries[i].type = xrefEntryFree; ! } ! size = newSize; ! } ! if (entries[num].type == xrefEntryFree || ! gen >= entries[num].gen) { ! entries[num].offset = pos - start; ! entries[num].gen = gen; ! entries[num].type = xrefEntryUncompressed; } } } }