diff --git a/xpdf/xpdf/JPXStream.cc b/xpdf/xpdf/JPXStream.cc index b7a1f56b6..f8dda64c9 100644 --- a/xpdf/xpdf/JPXStream.cc +++ b/xpdf/xpdf/JPXStream.cc @@ -7,6 +7,7 @@ //======================================================================== #include +#include #ifdef USE_GCC_PRAGMAS #pragma implementation @@ -820,7 +821,7 @@ GBool JPXStream::readCodestream(Guint /*len*/) { / img.yTileSize; nTiles = img.nXTiles * img.nYTiles; // check for overflow before allocating memory - if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) { + if (img.nXTiles <= 0 || img.nYTiles <= 0 || img.nXTiles >= INT_MAX / img.nYTiles) { error(getPos(), "Bad tile count in JPX SIZ marker segment"); return gFalse; } diff --git a/xpdf/xpdf/Stream.cc b/xpdf/xpdf/Stream.cc index ef3a27725..931354978 100644 --- a/xpdf/xpdf/Stream.cc +++ b/xpdf/xpdf/Stream.cc @@ -15,6 +15,7 @@ #include #include #include +#include #ifndef WIN32 #include #endif @@ -403,8 +404,6 @@ void ImageStream::skipLine() { StreamPredictor::StreamPredictor(Stream *strA, int predictorA, int widthA, int nCompsA, int nBitsA) { - int totalBits; - str = strA; predictor = predictorA; width = widthA; @@ -413,18 +412,19 @@ StreamPredictor::StreamPredictor(Stream *strA, int predictorA, predLine = NULL; ok = gFalse; + if (width <= 0 || nComps <= 0 || nBits <= 0 || + nComps >= INT_MAX / nBits || + width >= INT_MAX / nComps / nBits) + return; + nVals = width * nComps; - totalBits = nVals * nBits; - if (totalBits == 0 || - (totalBits / nBits) / nComps != width || - totalBits + 7 < 0) { + if (nVals + 7 <= 0) return; - } pixBytes = (nComps * nBits + 7) >> 3; - rowBytes = ((totalBits + 7) >> 3) + pixBytes; - if (rowBytes < 0) { + rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; + if (rowBytes < 0) return; - } + predLine = (Guchar *)gmalloc(rowBytes); memset(predLine, 0, rowBytes); predIdx = rowBytes;