bf60fbb21f
o iDefense advisories from 2005-12-05 o CAN-2005-3191, CAN-2005-3192, CAN-2005-3193 - JPX Stream Reader Heap Overflow Vulnerability - DCTStream Baseline Heap Overflow Vulnerability - DCTStream Progressive Heap Overflow - StreamPredictor Heap Overflow Vulnerability Patch provided by xpdf developers. Remove mbalmer@ from MAINTAINER per his request.
76 lines
2.0 KiB
Plaintext
76 lines
2.0 KiB
Plaintext
$OpenBSD: patch-xpdf_Stream_cc,v 1.1 2005/12/07 10:51:40 bernd Exp $
|
|
--- xpdf/Stream.cc.orig Mon May 17 21:37:57 2004
|
|
+++ xpdf/Stream.cc Tue Dec 6 22:42:37 2005
|
|
@@ -407,18 +407,33 @@ void ImageStream::skipLine() {
|
|
|
|
StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
|
|
int widthA, int nCompsA, int nBitsA) {
|
|
+ int totalBits;
|
|
+
|
|
str = strA;
|
|
predictor = predictorA;
|
|
width = widthA;
|
|
nComps = nCompsA;
|
|
nBits = nBitsA;
|
|
+ predLine = NULL;
|
|
+ ok = gFalse;
|
|
|
|
nVals = width * nComps;
|
|
+ totalBits = nVals * nBits;
|
|
+ if (totalBits == 0 ||
|
|
+ (totalBits / nBits) / nComps != width ||
|
|
+ totalBits + 7 < 0) {
|
|
+ return;
|
|
+ }
|
|
pixBytes = (nComps * nBits + 7) >> 3;
|
|
- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
|
|
+ rowBytes = ((totalBits + 7) >> 3) + pixBytes;
|
|
+ if (rowBytes < 0) {
|
|
+ return;
|
|
+ }
|
|
predLine = (Guchar *)gmalloc(rowBytes);
|
|
memset(predLine, 0, rowBytes);
|
|
predIdx = rowBytes;
|
|
+
|
|
+ ok = gTrue;
|
|
}
|
|
|
|
StreamPredictor::~StreamPredictor() {
|
|
@@ -1012,6 +1027,10 @@ LZWStream::LZWStream(Stream *strA, int p
|
|
FilterStream(strA) {
|
|
if (predictor != 1) {
|
|
pred = new StreamPredictor(this, predictor, columns, colors, bits);
|
|
+ if (!pred->isOk()) {
|
|
+ delete pred;
|
|
+ pred = NULL;
|
|
+ }
|
|
} else {
|
|
pred = NULL;
|
|
}
|
|
@@ -2897,6 +2916,14 @@ GBool DCTStream::readBaselineSOF() {
|
|
height = read16();
|
|
width = read16();
|
|
numComps = str->getChar();
|
|
+ if (numComps <= 0 || numComps > 4) {
|
|
+ error(getPos(), "Bad number of components in DCT stream", prec);
|
|
+ return gFalse;
|
|
+ }
|
|
+ if (numComps <= 0 || numComps > 4) {
|
|
+ error(getPos(), "Bad number of components in DCT stream", prec);
|
|
+ return gFalse;
|
|
+ }
|
|
if (prec != 8) {
|
|
error(getPos(), "Bad DCT precision %d", prec);
|
|
return gFalse;
|
|
@@ -3255,6 +3282,10 @@ FlateStream::FlateStream(Stream *strA, i
|
|
FilterStream(strA) {
|
|
if (predictor != 1) {
|
|
pred = new StreamPredictor(this, predictor, columns, colors, bits);
|
|
+ if (!pred->isOk()) {
|
|
+ delete pred;
|
|
+ pred = NULL;
|
|
+ }
|
|
} else {
|
|
pred = NULL;
|
|
}
|