+*** ./xpdf/XRef.cc.orig Thu Jul 22 11:04:22 2004
+--- ./xpdf/XRef.cc Thu Jul 22 11:04:31 2004
+***************
+*** 96,102 ****
+ }
+ nObjects = obj1.getInt();
+ obj1.free();
+! if (nObjects == 0) {
+ goto err1;
+ }
+
+--- 96,102 ----
+ }
+ nObjects = obj1.getInt();
+ obj1.free();
+! if (nObjects <= 0) {
+ goto err1;
+ }
+
+***************
+*** 106,111 ****
+--- 106,114 ----
+ }
+ first = obj1.getInt();
+ obj1.free();
++ if (first < 0) {
++ goto err1;
++ }
+
+ objs = new Object[nObjects];
+ objNums = (int *)gmalloc(nObjects * sizeof(int));
+***************
+*** 130,135 ****
+--- 133,144 ----
+ offsets[i] = obj2.getInt();
+ obj1.free();
+ obj2.free();
++ if (objNums[i] < 0 || offsets[i] < 0 ||
++ (i > 0 && offsets[i] < offsets[i-1])) {
++ delete parser;
++ gfree(offsets);
++ goto err1;
++ }
+ }
+ while (str->getChar() != EOF) ;
+ delete parser;
+***************
+*** 369,378 ****
+ }
+ n = obj.getInt();
+ obj.free();
+ if (first + n > size) {
+ for (newSize = size ? 2 * size : 1024;
+! first + n > newSize;
+ newSize <<= 1) ;
+ entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
+ for (i = size; i < newSize; ++i) {
+ entries[i].offset = 0xffffffff;
+--- 378,393 ----
+ }
+ n = obj.getInt();
+ obj.free();
++ if (first < 0 || n < 0 || first + n < 0) {
++ goto err1;
++ }
+ if (first + n > size) {
+ for (newSize = size ? 2 * size : 1024;
+! first + n > newSize && newSize > 0;
+ newSize <<= 1) ;
++ if (newSize < 0) {
++ goto err1;
++ }
+ entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
+ for (i = size; i < newSize; ++i) {
+ entries[i].offset = 0xffffffff;
+***************
+*** 443,449 ****
+
+ // check for an 'XRefStm' key
+ if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) {
+! pos2 = obj2.getInt();
+ readXRef(&pos2);
+ if (!ok) {
+ goto err1;
+--- 458,464 ----
+
+ // check for an 'XRefStm' key
+ if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) {
+! pos2 = (Guint)obj2.getInt();
+ readXRef(&pos2);
+ if (!ok) {
+ goto err1;
+***************
+*** 474,479 ****
+--- 489,497 ----
+ }
+ newSize = obj.getInt();
+ obj.free();
++ if (newSize < 0) {
++ goto err1;
++ }
+ if (newSize > size) {
+ entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
+ for (i = size; i < newSize; ++i) {
+***************
+*** 494,499 ****
+--- 512,520 ----
+ }
+ w[i] = obj2.getInt();
+ obj2.free();
++ if (w[i] < 0 || w[i] > 4) {
++ goto err1;
++ }
+ }
+ obj.free();
+
+***************
+*** 513,525 ****
+ }
+ n = obj.getInt();
+ obj.free();
+! if (!readXRefStreamSection(xrefStr, w, first, n)) {
+ idx.free();
+ goto err0;
+ }
+ }
+ } else {
+! if (!readXRefStreamSection(xrefStr, w, 0, size)) {
+ idx.free();
+ goto err0;
+ }
+--- 534,547 ----
+ }
+ n = obj.getInt();
+ obj.free();
+! if (first < 0 || n < 0 ||
+! !readXRefStreamSection(xrefStr, w, first, n)) {
+ idx.free();
+ goto err0;
+ }
+ }
+ } else {
+! if (!readXRefStreamSection(xrefStr, w, 0, newSize)) {
+ idx.free();
+ goto err0;
+ }
+***************
+*** 551,560 ****
+ Guint offset;
+ int type, gen, c, newSize, i, j;
+
+ if (first + n > size) {
+ for (newSize = size ? 2 * size : 1024;
+! first + n > newSize;
+ newSize <<= 1) ;
+ entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
+ for (i = size; i < newSize; ++i) {
+ entries[i].offset = 0xffffffff;
+--- 573,588 ----
+ Guint offset;
+ int type, gen, c, newSize, i, j;
+
++ if (first + n < 0) {
++ return gFalse;
++ }
+ if (first + n > size) {
+ for (newSize = size ? 2 * size : 1024;
+! first + n > newSize && newSize > 0;
+ newSize <<= 1) ;
++ if (newSize < 0) {
++ return gFalse;
++ }
+ entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
+ for (i = size; i < newSize; ++i) {
+ entries[i].offset = 0xffffffff;
+***************
+*** 585,608 ****
+ }
+ gen = (gen << 8) + c;
+ }
+! switch (type) {
+! case 0:
+! entries[i].offset = offset;
+! entries[i].gen = gen;
+! entries[i].type = xrefEntryFree;
+! break;
+! case 1:
+! entries[i].offset = offset;
+! entries[i].gen = gen;
+! entries[i].type = xrefEntryUncompressed;
+! break;
+! case 2:
+! entries[i].offset = offset;
+! entries[i].gen = gen;
+! entries[i].type = xrefEntryCompressed;
+! break;
+! default:
+! return gFalse;
+ }
+ }
+
+--- 613,638 ----
+ }
+ gen = (gen << 8) + c;
+ }
+! if (entries[i].offset == 0xffffffff) {
+! switch (type) {
+! case 0:
+! entries[i].offset = offset;
+! entries[i].gen = gen;
+! entries[i].type = xrefEntryFree;
+! break;
+! case 1:
+! entries[i].offset = offset;
+! entries[i].gen = gen;
+! entries[i].type = xrefEntryUncompressed;
+! break;
+! case 2:
+! entries[i].offset = offset;
+! entries[i].gen = gen;
+! entries[i].type = xrefEntryCompressed;
+! break;
+! default:
+! return gFalse;
+! }
+ }
+ }
+
+***************
+*** 664,701 ****
+ // look for object
+ } else if (isdigit(*p)) {
+ num = atoi(p);
+! do {
+! ++p;
+! } while (*p && isdigit(*p));
+! if (isspace(*p)) {
+ do {
+ ++p;
+! } while (*p && isspace(*p));
+! if (isdigit(*p)) {
+! gen = atoi(p);
+ do {
+ ++p;
+! } while (*p && isdigit(*p));
+! if (isspace(*p)) {
+ do {
+ ++p;
+! } while (*p && isspace(*p));
+! if (!strncmp(p, "obj", 3)) {
+! if (num >= size) {
+! newSize = (num + 1 + 255) & ~255;
+! entries = (XRefEntry *)
+! grealloc(entries, newSize * sizeof(XRefEntry));
+! for (i = size; i < newSize; ++i) {
+! entries[i].offset = 0xffffffff;
+! entries[i].type = xrefEntryFree;
+ }
+- size = newSize;
+- }
+- if (entries[num].type == xrefEntryFree ||
+- gen >= entries[num].gen) {
+- entries[num].offset = pos - start;
+- entries[num].gen = gen;
+- entries[num].type = xrefEntryUncompressed;
+ }
+ }
+ }
+--- 694,737 ----
+ // look for object
+ } else if (isdigit(*p)) {
+ num = atoi(p);
+! if (num > 0) {
+ do {
+ ++p;
+! } while (*p && isdigit(*p));
+! if (isspace(*p)) {
+ do {
+ ++p;
+! } while (*p && isspace(*p));
+! if (isdigit(*p)) {
+! gen = atoi(p);
+ do {
+ ++p;
+! } while (*p && isdigit(*p));
+! if (isspace(*p)) {
+! do {
+! ++p;
+! } while (*p && isspace(*p));
+! if (!strncmp(p, "obj", 3)) {
+! if (num >= size) {
+! newSize = (num + 1 + 255) & ~255;
+! if (newSize < 0) {
+! error(-1, "Bad object number");
+! return gFalse;
+! }
+! entries = (XRefEntry *)
+! grealloc(entries, newSize * sizeof(XRefEntry));
+! for (i = size; i < newSize; ++i) {
+! entries[i].offset = 0xffffffff;
+! entries[i].type = xrefEntryFree;
+! }
+! size = newSize;
+! }
+! if (entries[num].type == xrefEntryFree ||
+! gen >= entries[num].gen) {
+! entries[num].offset = pos - start;
+! entries[num].gen = gen;
+! entries[num].type = xrefEntryUncompressed;
+ }
+ }
+ }
+ }
+
+