poppler/Hints.cc | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-)
New commits: commit c6127898b13311197971b1c6b1b306b91e28cf0e Author: Hib Eris <[email protected]> Date: Mon Nov 22 13:08:48 2010 +0000 Use gmallocn_checkoverflow when parsing Hints table Prevents running out of memory with malicious documents. diff --git a/poppler/Hints.cc b/poppler/Hints.cc index 7ea9c7b..a730e56 100644 --- a/poppler/Hints.cc +++ b/poppler/Hints.cc @@ -47,13 +47,13 @@ Hints::Hints(BaseStream *str, Linearization *linearization, XRef *xref, Security error(-1, "Invalid number of pages (%d) for hints table", nPages); nPages = 0; } - nObjects = (Guint *) gmallocn(nPages, sizeof(Guint)); - pageObjectNum = (int *) gmallocn(nPages, sizeof(int)); - xRefOffset = (Guint *) gmallocn(nPages, sizeof(Guint)); - pageLength = (Guint *) gmallocn(nPages, sizeof(Guint)); - pageOffset = (Guint *) gmallocn(nPages, sizeof(Guint)); - numSharedObject = (Guint *) gmallocn(nPages, sizeof(Guint)); - sharedObjectId = (Guint **) gmallocn(nPages, sizeof(Guint*)); + nObjects = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint)); + pageObjectNum = (int *) gmallocn_checkoverflow(nPages, sizeof(int)); + xRefOffset = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint)); + pageLength = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint)); + pageOffset = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint)); + numSharedObject = (Guint *) gmallocn_checkoverflow(nPages, sizeof(Guint)); + sharedObjectId = (Guint **) gmallocn_checkoverflow(nPages, sizeof(Guint*)); if (!nObjects || !pageObjectNum || !xRefOffset || !pageLength || !pageOffset || !numSharedObject || !sharedObjectId) { error(-1, "Failed to allocate memory for hints tabel"); @@ -230,7 +230,7 @@ void Hints::readPageOffsetTable(Stream *str) numSharedObject[i] = 0; return; } - sharedObjectId[i] = (Guint *) gmallocn(numSharedObject[i], sizeof(Guint)); + sharedObjectId[i] = (Guint *) gmallocn_checkoverflow(numSharedObject[i], sizeof(Guint)); if (numSharedObject[i] && !sharedObjectId[i]) { error(-1, "Failed to allocate memory for shared object IDs"); numSharedObject[i] = 0; @@ -282,11 +282,11 @@ void Hints::readSharedObjectsTable(Stream *str) nSharedGroupsFirst = nSharedGroups; } - groupLength = (Guint *) gmallocn(nSharedGroups, sizeof(Guint)); - groupOffset = (Guint *) gmallocn(nSharedGroups, sizeof(Guint)); - groupHasSignature = (Guint *) gmallocn(nSharedGroups, sizeof(Guint)); - groupNumObjects = (Guint *) gmallocn(nSharedGroups, sizeof(Guint)); - groupXRefOffset = (Guint *) gmallocn(nSharedGroups, sizeof(Guint)); + groupLength = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint)); + groupOffset = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint)); + groupHasSignature = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint)); + groupNumObjects = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint)); + groupXRefOffset = (Guint *) gmallocn_checkoverflow(nSharedGroups, sizeof(Guint)); if (!groupLength || !groupOffset || !groupHasSignature || !groupNumObjects || !groupXRefOffset) { error(-1, "Failed to allocate memory for shared object groups"); _______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
