$OpenBSD: patch-pdftops_XRef_cxx,v 1.2 2005/01/22 17:12:43 mbalmer Exp $ --- pdftops/XRef.cxx.orig Wed Oct 13 22:55:53 2004 +++ pdftops/XRef.cxx Sat Jan 22 17:42:31 2005 @@ -16,6 +16,7 @@ #include #include #include +#include #include "gmem.h" #include "Object.h" #include "Stream.h" @@ -76,7 +77,7 @@ XRef::XRef(BaseStream *strA, GString *ow // trailer is ok - read the xref table } else { - if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) { + if ((unsigned) size >= INT_MAX / sizeof(XRefEntry)) { error(-1, "Invalid 'size' inside xref table."); ok = gFalse; errCode = errDamaged; @@ -291,7 +292,7 @@ GBool XRef::readXRef(Guint *pos) { // table size if (first + n > size) { newSize = first + n; - if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + if ((unsigned) newSize >= INT_MAX / sizeof(XRefEntry)) { error(-1, "Invalid 'newSize'"); goto err2; } @@ -445,7 +446,7 @@ GBool XRef::constructXRef() { if (!strncmp(p, "obj", 3)) { if (num >= size) { newSize = (num + 1 + 255) & ~255; - if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + if ((unsigned ) newSize >= INT_MAX / sizeof(XRefEntry)) { error(-1, "Invalid 'obj' parameters."); return gFalse; } @@ -470,7 +471,7 @@ GBool XRef::constructXRef() { } else if (!strncmp(p, "endstream", 9)) { if (streamEndsLen == streamEndsSize) { streamEndsSize += 64; - if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) { + if ((unsigned) streamEndsSize >= INT_MAX / sizeof(int)) { error(-1, "Invalid 'endstream' parameter."); return gFalse; } @@ -526,6 +527,9 @@ GBool XRef::checkEncrypted(GString *owne keyLength = lengthObj.getInt() / 8; } else { keyLength = 5; + } + if (keyLength > 16) { + keyLength = 16; } permFlags = permissions.getInt(); if (encVersion >= 1 && encVersion <= 2 &&