73df9cb65e
o iDefense advisories from 2005-12-05 o CAN-2005-3191, CAN-2005-3192, CAN-2005-3193 - JPX Stream Reader Heap Overflow Vulnerability - DCTStream Baseline Heap Overflow Vulnerability - DCTStream Progressive Heap Overflow - StreamPredictor Heap Overflow Vulnerability Patch provided by xpdf developers.
29 lines
1.2 KiB
Plaintext
29 lines
1.2 KiB
Plaintext
$OpenBSD: patch-xpdf_JPXStream_cc,v 1.1 2005/12/07 09:22:15 bernd Exp $
|
|
--- xpdf/JPXStream.cc.orig Wed Aug 17 07:34:31 2005
|
|
+++ xpdf/JPXStream.cc Tue Dec 6 21:13:44 2005
|
|
@@ -783,7 +783,7 @@ GBool JPXStream::readCodestream(Guint le
|
|
int segType;
|
|
GBool haveSIZ, haveCOD, haveQCD, haveSOT;
|
|
Guint precinctSize, style;
|
|
- Guint segLen, capabilities, comp, i, j, r;
|
|
+ Guint segLen, capabilities, nTiles, comp, i, j, r;
|
|
|
|
//----- main header
|
|
haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
|
|
@@ -818,8 +818,13 @@ GBool JPXStream::readCodestream(Guint le
|
|
/ img.xTileSize;
|
|
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
|
|
/ img.yTileSize;
|
|
- img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles,
|
|
- sizeof(JPXTile));
|
|
+ nTiles = img.nXTiles * img.nYTiles;
|
|
+ // check for overflow before allocating memory
|
|
+ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
|
|
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
|
|
+ return gFalse;
|
|
+ }
|
|
+ img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
|
|
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
|
|
img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps,
|
|
sizeof(JPXTileComp));
|