summaryrefslogtreecommitdiffstats
path: root/kpdf/xpdf/splash/SplashBitmap.cc
diff options
context:
space:
mode:
authorDarrell Anderson <humanreadable@yahoo.com>2012-08-22 13:05:27 -0500
committerDarrell Anderson <humanreadable@yahoo.com>2012-08-22 13:05:27 -0500
commit561d1d6802dd50ddc9f441442cc2c351dd2759d6 (patch)
tree16397d32c394eda320ac37ec273701b2bd323591 /kpdf/xpdf/splash/SplashBitmap.cc
parentdebc30baa40bdc687b00414733a50c61f71572de (diff)
downloadtdegraphics-561d1d6802dd50ddc9f441442cc2c351dd2759d6.tar.gz
tdegraphics-561d1d6802dd50ddc9f441442cc2c351dd2759d6.zip
Fix a potential resize bug and apply xpdf 3.02pl4 and 3.02pl5 security patches.
This partially resolves bug report 1175.
Diffstat (limited to 'kpdf/xpdf/splash/SplashBitmap.cc')
-rw-r--r--kpdf/xpdf/splash/SplashBitmap.cc35
1 files changed, 27 insertions, 8 deletions
diff --git a/kpdf/xpdf/splash/SplashBitmap.cc b/kpdf/xpdf/splash/SplashBitmap.cc
index 0cb1a752..62bbd8e8 100644
--- a/kpdf/xpdf/splash/SplashBitmap.cc
+++ b/kpdf/xpdf/splash/SplashBitmap.cc
@@ -11,6 +11,7 @@
#endif
#include <stdio.h>
+#include <limits.h>
#include "gmem.h"
#include "SplashErrorCodes.h"
#include "SplashBitmap.h"
@@ -27,30 +28,48 @@ SplashBitmap::SplashBitmap(int widthA, int heightA, int rowPad,
mode = modeA;
switch (mode) {
case splashModeMono1:
- rowSize = (width + 7) >> 3;
+ if (width > 0) {
+ rowSize = (width + 7) >> 3;
+ } else {
+ rowSize = -1;
+ }
break;
case splashModeMono8:
- rowSize = width;
+ if (width > 0) {
+ rowSize = width;
+ } else {
+ rowSize = -1;
+ }
break;
case splashModeRGB8:
case splashModeBGR8:
- rowSize = width * 3;
+ if (width > 0 && width <= INT_MAX / 3) {
+ rowSize = width * 3;
+ } else {
+ rowSize = -1;
+ }
break;
#if SPLASH_CMYK
case splashModeCMYK8:
- rowSize = width * 4;
+ if (width > 0 && width <= INT_MAX / 4) {
+ rowSize = width * 4;
+ } else {
+ rowSize = -1;
+ }
break;
#endif
}
- rowSize += rowPad - 1;
- rowSize -= rowSize % rowPad;
- data = (SplashColorPtr)gmalloc(rowSize * height);
+ if (rowSize > 0) {
+ rowSize += rowPad - 1;
+ rowSize -= rowSize % rowPad;
+ }
+ data = (SplashColorPtr)gmallocn(height, rowSize);
if (!topDown) {
data += (height - 1) * rowSize;
rowSize = -rowSize;
}
if (alphaA) {
- alpha = (Guchar *)gmalloc(width * height);
+ alpha = (Guchar *)gmallocn(width, height);
} else {
alpha = NULL;
}