Attachment #787 for bug #1175

By default, Bugzilla does not search the list of RESOLVED bugs.
You can force it to do so by putting the upper-case word ALL in front of your search query, e.g.: ALL tdelibs
We recommend searching for bugs this way, as you may discover that your bug has already been resolved and fixed in a later release. View | Details | Raw Unified | Return to bug 1175
Collapse All | Expand All

Lines 12-17 Link Here

(-)kpdf-3.5.10/kpdf/xpdf/splash/Splash.cc (-3 / +10 lines)
12		12
13	#include <stdlib.h>	13	#include <stdlib.h>
14	#include <string.h>	14	#include <string.h>
		15	#include <limits.h>
15	#include "gmem.h"	16	#include "gmem.h"
16	#include "SplashErrorCodes.h"	17	#include "SplashErrorCodes.h"
17	#include "SplashMath.h"	18	#include "SplashMath.h"
Lines 1937-1943 SplashError Splash::fillImageMask(Splash Link Here
1937	xq = w % scaledWidth;	1938	xq = w % scaledWidth;
1938		1939
1939	// allocate pixel buffer	1940	// allocate pixel buffer
1940	pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w);	1941	if (yp < 0 \|\| yp > INT_MAX - 1) {
		1942	return splashErrBadArg;
		1943	}
		1944	pixBuf = (SplashColorPtr)gmallocn(yp + 1, w);
1941		1945
1942	// initialize the pixel pipe	1946	// initialize the pixel pipe
1943	pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha,	1947	pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha,
Lines 2233-2241 SplashError Splash::drawImage(SplashImag Link Here
2233	xq = w % scaledWidth;	2237	xq = w % scaledWidth;
2234		2238
2235	// allocate pixel buffers	2239	// allocate pixel buffers
2236	colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps);	2240	if (yp < 0 \|\| yp > INT_MAX - 1 \|\| w > INT_MAX / nComps) {
		2241	return splashErrBadArg;
		2242	}
		2243	colorBuf = (SplashColorPtr)gmallocn(yp + 1, w * nComps);
2237	if (srcAlpha) {	2244	if (srcAlpha) {
2238	alphaBuf = (Guchar )gmalloc((yp + 1) w);	2245	alphaBuf = (Guchar *)gmallocn(yp + 1, w);
2239	} else {	2246	} else {
2240	alphaBuf = NULL;	2247	alphaBuf = NULL;
2241	}	2248	}

Lines 11-16 Link Here

(-)kpdf-3.5.10/kpdf/xpdf/splash/SplashBitmap.cc (-8 / +27 lines)
11	#endif	11	#endif
12		12
13	#include <stdio.h>	13	#include <stdio.h>
		14	#include <limits.h>
14	#include "gmem.h"	15	#include "gmem.h"
15	#include "SplashErrorCodes.h"	16	#include "SplashErrorCodes.h"
16	#include "SplashBitmap.h"	17	#include "SplashBitmap.h"
Lines 27-56 SplashBitmap::SplashBitmap(int widthA, i Link Here
27	mode = modeA;	28	mode = modeA;
28	switch (mode) {	29	switch (mode) {
29	case splashModeMono1:	30	case splashModeMono1:
30	rowSize = (width + 7) >> 3;	31	if (width > 0) {
		32	rowSize = (width + 7) >> 3;
		33	} else {
		34	rowSize = -1;
		35	}
31	break;	36	break;
32	case splashModeMono8:	37	case splashModeMono8:
33	rowSize = width;	38	if (width > 0) {
		39	rowSize = width;
		40	} else {
		41	rowSize = -1;
		42	}
34	break;	43	break;
35	case splashModeRGB8:	44	case splashModeRGB8:
36	case splashModeBGR8:	45	case splashModeBGR8:
37	rowSize = width * 3;	46	if (width > 0 && width <= INT_MAX / 3) {
		47	rowSize = width * 3;
		48	} else {
		49	rowSize = -1;
		50	}
38	break;	51	break;
39	#if SPLASH_CMYK	52	#if SPLASH_CMYK
40	case splashModeCMYK8:	53	case splashModeCMYK8:
41	rowSize = width * 4;	54	if (width > 0 && width <= INT_MAX / 4) {
		55	rowSize = width * 4;
		56	} else {
		57	rowSize = -1;
		58	}
42	break;	59	break;
43	#endif	60	#endif
44	}	61	}
45	rowSize += rowPad - 1;	62	if (rowSize > 0) {
46	rowSize -= rowSize % rowPad;	63	rowSize += rowPad - 1;
47	data = (SplashColorPtr)gmallocn(rowSize, height);	64	rowSize -= rowSize % rowPad;
		65	}
		66	data = (SplashColorPtr)gmallocn(height, rowSize);
48	if (!topDown) {	67	if (!topDown) {
49	data += (height - 1) * rowSize;	68	data += (height - 1) * rowSize;
50	rowSize = -rowSize;	69	rowSize = -rowSize;
51	}	70	}
52	if (alphaA) {	71	if (alphaA) {
53	alpha = (Guchar )gmalloc(width height);	72	alpha = (Guchar *)gmallocn(width, height);
54	} else {	73	} else {
55	alpha = NULL;	74	alpha = NULL;
56	}	75	}

Lines 31-34 Link Here

(-)kpdf-3.5.10/kpdf/xpdf/splash/SplashErrorCodes.h (+2 lines)
31		31
32	#define splashErrZeroImage 9 // image of 0x0	32	#define splashErrZeroImage 9 // image of 0x0
33		33
		34	#define splashErrBadArg 9 // bad argument
		35
34	#endif	36	#endif

Lines 4386-4392 void PSOutputDev::doImageL1Sep(GfxImageC Link Here

(-)kpdf-3.5.10/kpdf/xpdf/xpdf/PSOutputDev.cc (-1 / +1 lines)
4386	width, -height, height);	4386	width, -height, height);
4387		4387
4388	// allocate a line buffer	4388	// allocate a line buffer
4389	lineBuf = (Guchar )gmalloc(4 width);	4389	lineBuf = (Guchar *)gmallocn(width, 4);
4390		4390
4391	// set up to process the data stream	4391	// set up to process the data stream
4392	imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(),	4392	imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(),

Lines 323-328 ImageStream::ImageStream(Stream *strA, i Link Here

(-)kpdf-3.5.10/kpdf/xpdf/xpdf/Stream.cc (+4 lines)
323	} else {	323	} else {
324	imgLineSize = nVals;	324	imgLineSize = nVals;
325	}	325	}
		326	if (width > INT_MAX / nComps) {
		327	// force a call to gmallocn(-1,...), which will throw an exception
		328	imgLineSize = -1;
		329	}
326	imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));	330	imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
327	imgIdx = nVals;	331	imgIdx = nVals;
328	}	332	}

Lines 52-57 public: Link Here

(-)kpdf-3.5.10/kpdf/xpdf/xpdf/XRef.cc (-1 / +17 lines)
52	// generation 0.	52	// generation 0.
53	ObjectStream(XRef *xref, int objStrNumA);	53	ObjectStream(XRef *xref, int objStrNumA);
54		54
		55	GBool isOk() { return ok; }
		56
55	~ObjectStream();	57	~ObjectStream();
56		58
57	// Return the object number of this object stream.	59	// Return the object number of this object stream.
Lines 67-72 private: Link Here
67	int nObjects; // number of objects in the stream	69	int nObjects; // number of objects in the stream
68	Object *objs; // the objects (length = nObjects)	70	Object *objs; // the objects (length = nObjects)
69	int *objNums; // the object numbers (length = nObjects)	71	int *objNums; // the object numbers (length = nObjects)
		72	GBool ok;
70	};	73	};
71		74
72	ObjectStream::ObjectStream(XRef *xref, int objStrNumA) {	75	ObjectStream::ObjectStream(XRef *xref, int objStrNumA) {
Lines 80-85 ObjectStream::ObjectStream(XRef *xref, i Link Here
80	nObjects = 0;	83	nObjects = 0;
81	objs = NULL;	84	objs = NULL;
82	objNums = NULL;	85	objNums = NULL;
		86	ok = gFalse;
83		87
84	if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) {	88	if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) {
85	goto err1;	89	goto err1;
Lines 105-110 ObjectStream::ObjectStream(XRef *xref, i Link Here
105	goto err1;	109	goto err1;
106	}	110	}
107		111
		112	// this is an arbitrary limit to avoid integer overflow problems
		113	// in the 'new Object[nObjects]' call (Acrobat apparently limits
		114	// object streams to 100-200 objects)
		115	if (nObjects > 1000000) {
		116	error(-1, "Too many objects in an object stream");
		117	goto err1;
		118	}
108	objs = new Object[nObjects];	119	objs = new Object[nObjects];
109	objNums = (int *)gmallocn(nObjects, sizeof(int));	120	objNums = (int *)gmallocn(nObjects, sizeof(int));
110	offsets = (int *)gmallocn(nObjects, sizeof(int));	121	offsets = (int *)gmallocn(nObjects, sizeof(int));
Lines 161-170 ObjectStream::ObjectStream(XRef *xref, i Link Here
161	}	172	}
162		173
163	gfree(offsets);	174	gfree(offsets);
		175	ok = gTrue;
164		176
165	err1:	177	err1:
166	objStr.free();	178	objStr.free();
167	return;
168	}	179	}
169		180
170	ObjectStream::~ObjectStream() {	181	ObjectStream::~ObjectStream() {
Lines 837-842 Object *XRef::fetch(int num, int gen, Ob Link Here
837	delete objStr;	848	delete objStr;
838	}	849	}
839	objStr = new ObjectStream(this, e->offset);	850	objStr = new ObjectStream(this, e->offset);
		851	if (!objStr->isOk()) {
		852	delete objStr;
		853	objStr = NULL;
		854	goto err;
		855	}
840	}	856	}
841	objStr->getObject(e->gen, num, obj);	857	objStr->getObject(e->gen, num, obj);
842	break;	858	break;

Return to bug 1175