Fix for a number of integer overflow bugs discovered by Chris Evans.

[evince.git] / pdf / xpdf / Function.cc

diff --git a/pdf/xpdf/Function.cc b/pdf/xpdf/Function.cc
index 28eed87a5e3862ea21785428adaf07756fceaa59..d9d4a934ed04ecb79de01fc6466afa49601da741 100644 (file)
--- a/pdf/xpdf/Function.cc
+++ b/pdf/xpdf/Function.cc
@@ -381,8 +381,8 @@ void SampledFunction::transform(double *in, double *out) {
 
     // pull 2^m values out of the sample array
     for (j = 0; j < (1<<m); ++j) {
-      idx = e[j & 1][m - 1];
-      for (k = m - 2; k >= 0; --k) {
+      idx = 0;
+      for (k = m - 1; k >= 0; --k) {
        idx = idx * sampleSize[k] + e[(j >> k) & 1][k];
       }
       idx = idx * n + i;
@@ -617,9 +617,13 @@ StitchingFunction::StitchingFunction(Object *funcObj, Dict *dict) {
 }
 
 StitchingFunction::StitchingFunction(StitchingFunction *func) {
+  int i;
+
   k = func->k;
   funcs = (Function **)gmalloc(k * sizeof(Function *));
-  memcpy(funcs, func->funcs, k * sizeof(Function *));
+  for (i = 0; i < k; ++i) {
+    funcs[i] = func->funcs[i]->copy();
+  }
   bounds = (double *)gmalloc((k + 1) * sizeof(double));
   memcpy(bounds, func->bounds, (k + 1) * sizeof(double));
   encode = (double *)gmalloc(2 * k * sizeof(double));
@@ -630,9 +634,11 @@ StitchingFunction::StitchingFunction(StitchingFunction *func) {
 StitchingFunction::~StitchingFunction() {
   int i;
 
-  for (i = 0; i < k; ++i) {
-    if (funcs[i]) {
-      delete funcs[i];
+  if (funcs) {
+    for (i = 0; i < k; ++i) {
+      if (funcs[i]) {
+       delete funcs[i];
+      }
     }
   }
   gfree(funcs);
@@ -1246,7 +1252,7 @@ void PostScriptFunction::exec(PSStack *stack, int codePtr) {
        } else {
          b2 = stack->popBool();
          b1 = stack->popBool();
-         stack->pushReal(b1 && b2);
+         stack->pushBool(b1 && b2);
        }
        break;
       case psOpAtan:
@@ -1313,8 +1319,8 @@ void PostScriptFunction::exec(PSStack *stack, int codePtr) {
        stack->roll(2, 1);
        break;
       case psOpExp:
-       r2 = stack->popInt();
-       r1 = stack->popInt();
+       r2 = stack->popNum();
+       r1 = stack->popNum();
        stack->pushReal(pow(r1, r2));
        break;
       case psOpFalse:
@@ -1426,7 +1432,7 @@ void PostScriptFunction::exec(PSStack *stack, int codePtr) {
        if (stack->topIsInt()) {
          stack->pushInt(~stack->popInt());
        } else {
-         stack->pushReal(!stack->popBool());
+         stack->pushBool(!stack->popBool());
        }
        break;
       case psOpOr:
@@ -1437,7 +1443,7 @@ void PostScriptFunction::exec(PSStack *stack, int codePtr) {
        } else {
          b2 = stack->popBool();
          b1 = stack->popBool();
-         stack->pushReal(b1 || b2);
+         stack->pushBool(b1 || b2);
        }
        break;
       case psOpPop:
@@ -1455,7 +1461,7 @@ void PostScriptFunction::exec(PSStack *stack, int codePtr) {
        }
        break;
       case psOpSin:
-       stack->pushReal(cos(stack->popNum()));
+       stack->pushReal(sin(stack->popNum()));
        break;
       case psOpSqrt:
        stack->pushReal(sqrt(stack->popNum()));
@@ -1488,7 +1494,7 @@ void PostScriptFunction::exec(PSStack *stack, int codePtr) {
        } else {
          b2 = stack->popBool();
          b1 = stack->popBool();
-         stack->pushReal(b1 ^ b2);
+         stack->pushBool(b1 ^ b2);
        }
        break;
       case psOpIf: