diff options
Diffstat (limited to 'app-office/koffice/files/post-1.3-koffice-CAN-2005-3193.diff')
| -rw-r--r-- | app-office/koffice/files/post-1.3-koffice-CAN-2005-3193.diff | 238 |
1 files changed, 0 insertions, 238 deletions
diff --git a/app-office/koffice/files/post-1.3-koffice-CAN-2005-3193.diff b/app-office/koffice/files/post-1.3-koffice-CAN-2005-3193.diff deleted file mode 100644 index b1f436e9781f..000000000000 --- a/app-office/koffice/files/post-1.3-koffice-CAN-2005-3193.diff +++ /dev/null @@ -1,238 +0,0 @@ -Index: filters/kword/pdf/xpdf/xpdf/JBIG2Stream.cc -=================================================================== ---- filters/kword/pdf/xpdf/xpdf/JBIG2Stream.cc (revision 409205) -+++ filters/kword/pdf/xpdf/xpdf/JBIG2Stream.cc (revision 488234) -@@ -7,6 +7,7 @@ - //======================================================================== - - #include <aconf.h> -+#include <limits.h> - - #ifdef USE_GCC_PRAGMAS - #pragma implementation -@@ -977,6 +978,13 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, - w = wA; - h = hA; - line = (wA + 7) >> 3; -+ -+ if (h < 0 || line <= 0 || h >= INT_MAX / line) { -+ error(-1, "invalid width/height"); -+ data = NULL; -+ return; -+ } -+ - data = (Guchar *)gmalloc(h * line); - } - -@@ -986,6 +994,13 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, - w = bitmap->w; - h = bitmap->h; - line = bitmap->line; -+ -+ if (h < 0 || line <= 0 || h >= INT_MAX / line) { -+ error(-1, "invalid width/height"); -+ data = NULL; -+ return; -+ } -+ - data = (Guchar *)gmalloc(h * line); - memcpy(data, bitmap->data, h * line); - } -@@ -1012,7 +1027,10 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint - } - - void JBIG2Bitmap::expand(int newH, Guint pixel) { -- if (newH <= h) { -+ if (newH <= h || line <= 0 || newH >= INT_MAX / line) { -+ error(-1, "invalid width/height"); -+ gfree(data); -+ data = NULL; - return; - } - data = (Guchar *)grealloc(data, newH * line); -@@ -2505,6 +2523,15 @@ void JBIG2Stream::readHalftoneRegionSeg( - error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); - return; - } -+ if (gridH == 0 || gridW >= INT_MAX / gridH) { -+ error(getPos(), "Bad size in JBIG2 halftone segment"); -+ return; -+ } -+ if (w == 0 || h >= INT_MAX / w) { -+ error(getPos(), "Bad size in JBIG2 bitmap segment"); -+ return; -+ } -+ - patternDict = (JBIG2PatternDict *)seg; - bpp = 0; - i = 1; -@@ -3078,6 +3105,11 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef - Guint ltpCX, cx, cx0, cx2, cx3, cx4, tpgrCX0, tpgrCX1, tpgrCX2; - int x, y, pix; - -+ if (w < 0 || h <= 0 || w >= INT_MAX / h) { -+ error(-1, "invalid width/height"); -+ return NULL; -+ } -+ - bitmap = new JBIG2Bitmap(0, w, h); - bitmap->clearToZero(); - -Index: filters/kword/pdf/xpdf/xpdf/Stream.cc -=================================================================== ---- filters/kword/pdf/xpdf/xpdf/Stream.cc (revision 409205) -+++ filters/kword/pdf/xpdf/xpdf/Stream.cc (revision 488234) -@@ -15,6 +15,7 @@ - #include <stdio.h> - #include <stdlib.h> - #include <stddef.h> -+#include <limits.h> - #ifndef WIN32 - #include <unistd.h> - #endif -@@ -409,13 +410,28 @@ StreamPredictor::StreamPredictor(Stream - width = widthA; - nComps = nCompsA; - nBits = nBitsA; -+ predLine = NULL; -+ ok = gFalse; -+ -+ if (width <= 0 || nComps <= 0 || nBits <= 0 || -+ nComps >= INT_MAX / nBits || -+ width >= INT_MAX / nComps / nBits) -+ return; - - nVals = width * nComps; -+ if (nVals + 7 <= 0) -+ return; -+ - pixBytes = (nComps * nBits + 7) >> 3; - rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; -+ if (rowBytes < 0) -+ return; -+ - predLine = (Guchar *)gmalloc(rowBytes); - memset(predLine, 0, rowBytes); - predIdx = rowBytes; -+ -+ ok = gTrue; - } - - StreamPredictor::~StreamPredictor() { -@@ -982,6 +998,10 @@ LZWStream::LZWStream(Stream *strA, int p - FilterStream(strA) { - if (predictor != 1) { - pred = new StreamPredictor(this, predictor, columns, colors, bits); -+ if ( !pred->isOk()) { -+ delete pred; -+ pred = NULL; -+ } - } else { - pred = NULL; - } -@@ -1227,6 +1247,11 @@ CCITTFaxStream::CCITTFaxStream(Stream *s - endOfLine = endOfLineA; - byteAlign = byteAlignA; - columns = columnsA; -+ if (columns < 1 || columns + 2 < 0 || columns + 3 < 0 || -+ (columns + 2) >= INT_MAX / sizeof(short) || (columns + 3) >= INT_MAX / sizeof(short)) { -+ error(-1, "invalid number of columns"); -+ exit(1); -+ } - rows = rowsA; - endOfBlock = endOfBlockA; - black = blackA; -@@ -2861,6 +2886,11 @@ GBool DCTStream::readBaselineSOF() { - height = read16(); - width = read16(); - numComps = str->getChar(); -+ if (numComps <= 0 || numComps > 4) { -+ numComps = 0; -+ error(getPos(), "Bad number of components in DCT stream"); -+ return gFalse; -+ } - if (prec != 8) { - error(getPos(), "Bad DCT precision %d", prec); - return gFalse; -@@ -2887,6 +2917,11 @@ GBool DCTStream::readProgressiveSOF() { - height = read16(); - width = read16(); - numComps = str->getChar(); -+ if (numComps <= 0 || numComps > 4) { -+ numComps = 0; -+ error(getPos(), "Bad number of components in DCT stream"); -+ return gFalse; -+ } - if (prec != 8) { - error(getPos(), "Bad DCT precision %d", prec); - return gFalse; -@@ -2909,6 +2944,11 @@ GBool DCTStream::readScanInfo() { - - length = read16() - 2; - scanInfo.numComps = str->getChar(); -+ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { -+ scanInfo.numComps = 0; -+ error(getPos(), "Bad number of components in DCT stream"); -+ return gFalse; -+ } - --length; - if (length != 2 * scanInfo.numComps + 3) { - error(getPos(), "Bad DCT scan info block"); -@@ -2976,12 +3016,12 @@ GBool DCTStream::readHuffmanTables() { - while (length > 0) { - index = str->getChar(); - --length; -- if ((index & 0x0f) >= 4) { -+ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) { - error(getPos(), "Bad DCT Huffman table"); - return gFalse; - } - if (index & 0x10) { -- index &= 0x0f; -+ index &= 0x03; - if (index >= numACHuffTables) - numACHuffTables = index+1; - tbl = &acHuffTables[index]; -@@ -3069,9 +3109,11 @@ int DCTStream::readMarker() { - do { - do { - c = str->getChar(); -+ if(c == EOF) return EOF; - } while (c != 0xff); - do { - c = str->getChar(); -+ if(c == EOF) return EOF; - } while (c == 0xff); - } while (c == 0x00); - return c; -@@ -3179,6 +3221,10 @@ FlateStream::FlateStream(Stream *strA, i - FilterStream(strA) { - if (predictor != 1) { - pred = new StreamPredictor(this, predictor, columns, colors, bits); -+ if ( !pred->isOk()) { -+ delete pred; -+ pred = NULL; -+ } - } else { - pred = NULL; - } -Index: filters/kword/pdf/xpdf/xpdf/Stream.h -=================================================================== ---- filters/kword/pdf/xpdf/xpdf/Stream.h (revision 409205) -+++ filters/kword/pdf/xpdf/xpdf/Stream.h (revision 488234) -@@ -227,6 +227,7 @@ public: - - int lookChar(); - int getChar(); -+ GBool isOk() { return ok; } - - private: - -@@ -242,6 +243,7 @@ private: - int rowBytes; // bytes per line - Guchar *predLine; // line buffer - int predIdx; // current index in predLine -+ GBool ok; - }; - - //------------------------------------------------------------------------ |