--- tetex-src-3.0/libs/xpdf/xpdf/Catalog.cc.CAN-2004-0888 2004-01-22 02:26:45.000000000 +0100 +++ tetex-src-3.0/libs/xpdf/xpdf/Catalog.cc 2005-02-08 09:53:47.921263552 +0100 @@ -64,6 +64,12 @@ Catalog::Catalog(XRef *xrefA) { } pagesSize = numPages0 = (int)obj.getNum(); obj.free(); + if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) { + error(-1, "Invalid 'pagesSize'"); + ok = gFalse; + return; + } pages = (Page **)gmalloc(pagesSize * sizeof(Page *)); pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref)); for (i = 0; i < pagesSize; ++i) { @@ -191,6 +197,11 @@ int Catalog::readPageTree(Dict *pagesDic } if (start >= pagesSize) { pagesSize += 32; + if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) { + error(-1, "Invalid 'pagesSize' parameter."); + goto err3; + } pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *)); pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref)); for (j = pagesSize - 32; j < pagesSize; ++j) { --- tetex-src-3.0/libs/xpdf/xpdf/XRef.cc.CAN-2004-0888 2005-01-19 13:09:57.000000000 +0100 +++ tetex-src-3.0/libs/xpdf/xpdf/XRef.cc 2005-02-08 09:42:59.942771256 +0100 @@ -718,6 +718,10 @@ GBool XRef::constructXRef() { error(-1, "Bad object number"); return gFalse; } + if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + error(-1, "Invalid 'obj' parameters."); + return gFalse; + } entries = (XRefEntry *) grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { @@ -741,6 +745,10 @@ GBool XRef::constructXRef() { } else if (!strncmp(p, "endstream", 9)) { if (streamEndsLen == streamEndsSize) { streamEndsSize += 64; + if (streamEndsSize*(int)sizeof(int)/sizeof(int) != streamEndsSize) { + error(-1, "Invalid 'endstream' parameter."); + return gFalse; + } streamEnds = (Guint *)grealloc(streamEnds, streamEndsSize * sizeof(int)); }