Index: kpdf/xpdf/Catalog.cc =================================================================== RCS file: /home/kde/kdegraphics/kpdf/xpdf/Catalog.cc,v retrieving revision 1.3 diff -u -5 -d -p -r1.3 Catalog.cc --- kpdf/xpdf/Catalog.cc 20 Aug 2003 21:25:12 -0000 1.3 +++ kpdf/xpdf/Catalog.cc 18 Oct 2004 20:12:09 -0000 @@ -61,10 +61,16 @@ Catalog::Catalog(XRef *xrefA) { obj.getTypeName()); goto err3; } pagesSize = numPages0 = obj.getInt(); obj.free(); + if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { + error(-1, "Invalid 'pagesSize'"); + ok = gFalse; + return; + } pages = (Page **)gmalloc(pagesSize * sizeof(Page *)); pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref)); for (i = 0; i < pagesSize; ++i) { pages[i] = NULL; pageRefs[i].num = -1; @@ -188,10 +194,15 @@ int Catalog::readPageTree(Dict *pagesDic ++start; goto err3; } if (start >= pagesSize) { pagesSize += 32; + if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { + error(-1, "Invalid 'pagesSize' parameter."); + goto err3; + } pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *)); pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref)); for (j = pagesSize - 32; j < pagesSize; ++j) { pages[j] = NULL; pageRefs[j].num = -1; Index: kpdf/xpdf/XRef.cc =================================================================== RCS file: /home/kde/kdegraphics/kpdf/xpdf/XRef.cc,v retrieving revision 1.3 diff -u -5 -d -p -r1.3 XRef.cc --- kpdf/xpdf/XRef.cc 20 Aug 2003 21:25:12 -0000 1.3 +++ kpdf/xpdf/XRef.cc 18 Oct 2004 20:12:09 -0000 @@ -74,10 +74,16 @@ XRef::XRef(BaseStream *strA, GString *ow return; } // trailer is ok - read the xref table } else { + if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) { + error(-1, "Invalid 'size' inside xref table."); + ok = gFalse; + errCode = errDamaged; + return; + } entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry)); for (i = 0; i < size; ++i) { entries[i].offset = 0xffffffff; entries[i].used = gFalse; } @@ -265,10 +271,14 @@ GBool XRef::readXRef(Guint *pos) { } // check for buggy PDF files with an incorrect (too small) xref // table size if (first + n > size) { newSize = size + 256; + if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + error(-1, "Invalid 'newSize'"); + goto err2; + } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; entries[i].used = gFalse; } @@ -413,10 +423,14 @@ GBool XRef::constructXRef() { ++p; } while (*p && isspace(*p)); if (!strncmp(p, "obj", 3)) { if (num >= size) { newSize = (num + 1 + 255) & ~255; + if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + error(-1, "Invalid 'obj' parameters."); + return gFalse; + } entries = (XRefEntry *) grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; entries[i].used = gFalse; @@ -434,10 +448,15 @@ GBool XRef::constructXRef() { } } else if (!strncmp(p, "endstream", 9)) { if (streamEndsLen == streamEndsSize) { streamEndsSize += 64; + if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) { + error(-1, "Invalid 'endstream' parameter."); + return gFalse; + } + streamEnds = (Guint *)grealloc(streamEnds, streamEndsSize * sizeof(int)); } streamEnds[streamEndsLen++] = pos; }