X-Git-Url: https://www.fi.muni.cz/~kas/git//home/kas/public_html/git/?a=blobdiff_plain;ds=inline;f=pdf%2Fxpdf%2FCatalog.cc;h=8762cd4cb4d1a908436382fbadfc4d26b5805620;hb=8e5042edbe098c8a8b760a36a8bc35dfca4e6041;hp=efea82862e43ebbd92f91229cc16986d9fc1d7ef;hpb=64676031423465996e83c4a685290f0c3d97a249;p=evince.git

diff --git a/pdf/xpdf/Catalog.cc b/pdf/xpdf/Catalog.cc
index efea8286..8762cd4c 100644
--- a/pdf/xpdf/Catalog.cc
+++ b/pdf/xpdf/Catalog.cc
@@ -2,7 +2,7 @@
 //
 // Catalog.cc
 //
-// Copyright 1996-2002 Glyph & Cog, LLC
+// Copyright 1996-2003 Glyph & Cog, LLC
 //
 //========================================================================
 
@@ -56,13 +56,23 @@ Catalog::Catalog(XRef *xrefA) {
     goto err2;
   }
   pagesDict.dictLookup("Count", &obj);
-  if (!obj.isInt()) {
+  // some PDF files actually use real numbers here ("/Count 9.0")
+  if (!obj.isNum()) {
     error(-1, "Page count in top-level pages object is wrong type (%s)",
 	  obj.getTypeName());
     goto err3;
   }
-  pagesSize = numPages0 = obj.getInt();
+  pagesSize = numPages0 = (int)obj.getNum();
   obj.free();
+  // The gcc doesnt optimize this away, so this check is ok,
+  // even if it looks like a pagesSize != pagesSize check
+  if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
+      pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+    error(-1, "Invalid 'pagesSize'");
+    ok = gFalse;
+    return;
+  }
+
   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
   for (i = 0; i < pagesSize; ++i) {
@@ -190,6 +200,11 @@ int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) {
       }
       if (start >= pagesSize) {
 	pagesSize += 32;
+        if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
+            pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+          error(-1, "Invalid 'pagesSize' parameter.");
+          goto err3;
+        }
 	pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
 	pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
 	for (j = pagesSize - 32; j < pagesSize; ++j) {
@@ -307,8 +322,8 @@ Object *Catalog::findDestInTree(Object *tree, GString *name, Object *obj) {
 	} else if (cmp < 0) {
 	  done = gTrue;
 	}
-	name1.free();
       }
+      name1.free();
     }
     names.free();
     if (!found)