Sophie

Sophie

distrib > Mandriva > 2009.1 > x86_64 > media > main-release-src > by-pkgid > 3c83bbb1176e313dd084f0338245b0ec > files > 18

tetex-3.0-48mdv2009.1.src.rpm

--- tetex-src-3.0/libs/xpdf/xpdf/Catalog.cc.CAN-2004-0888	2004-01-22 02:26:45.000000000 +0100
+++ tetex-src-3.0/libs/xpdf/xpdf/Catalog.cc	2005-02-08 09:53:47.921263552 +0100
@@ -64,6 +64,12 @@ Catalog::Catalog(XRef *xrefA) {
   }
   pagesSize = numPages0 = (int)obj.getNum();
   obj.free();
+  if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+      pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
+    error(-1, "Invalid 'pagesSize'");
+    ok = gFalse;
+    return;
+  }
   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
   for (i = 0; i < pagesSize; ++i) {
@@ -191,6 +197,11 @@ int Catalog::readPageTree(Dict *pagesDic
       }
       if (start >= pagesSize) {
 	pagesSize += 32;
+        if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+	    pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
+          error(-1, "Invalid 'pagesSize' parameter.");
+          goto err3;
+        }
 	pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
 	pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
 	for (j = pagesSize - 32; j < pagesSize; ++j) {
--- tetex-src-3.0/libs/xpdf/xpdf/XRef.cc.CAN-2004-0888	2005-01-19 13:09:57.000000000 +0100
+++ tetex-src-3.0/libs/xpdf/xpdf/XRef.cc	2005-02-08 09:42:59.942771256 +0100
@@ -718,6 +718,10 @@ GBool XRef::constructXRef() {
 		    error(-1, "Bad object number");
 		    return gFalse;
 		  }
+		  if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+		    error(-1, "Invalid 'obj' parameters.");
+		    return gFalse;
+		  }
 		  entries = (XRefEntry *)
 		      grealloc(entries, newSize * sizeof(XRefEntry));
 		  for (i = size; i < newSize; ++i) {
@@ -741,6 +745,10 @@ GBool XRef::constructXRef() {
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen == streamEndsSize) {
 	streamEndsSize += 64;
+	if (streamEndsSize*(int)sizeof(int)/sizeof(int) != streamEndsSize) {
+	  error(-1, "Invalid 'endstream' parameter.");
+	  return gFalse;
+	}
 	streamEnds = (Guint *)grealloc(streamEnds,
 				       streamEndsSize * sizeof(int));
       }

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional