fdo-mirrors/cairo
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/cairo/cairo.git synced 2026-05-05 07:38:22 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Avoid buffer overflow in ps/pdf surface

Browse source 
A few places weren't using _cairo_malloc_*; fixed.
This commit is contained in:
Vladimir Vukicevic 2008-02-06 13:52:33 -08:00 committed by Vladimir Vukicevic
parent bf1f7f70b6
commit a9b0e54d38
2 changed files with 18 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
src/cairo-pdf-surface.c
View file

@ -1249,9 +1249,16 @@ compress_dup (const void *data, unsigned long data_size,
unsigned long *compressed_size)
{
void *compressed;
unsigned long additional_size;
/* Bound calculation taken from zlib. */
*compressed_size = data_size + (data_size >> 12) + (data_size >> 14) + 11;
additional_size = (data_size >> 12) + (data_size >> 14) + 11;
if (INT32_MAX - data_size <= additional_size) {
_cairo_error_throw (CAIRO_STATUS_NO_MEMORY);
return NULL;
}
*compressed_size = data_size + additional_size;
compressed = malloc (*compressed_size);
if (compressed == NULL) {
_cairo_error_throw (CAIRO_STATUS_NO_MEMORY);
@ -1295,11 +1302,14 @@ _cairo_pdf_surface_emit_smask (cairo_pdf_surface_t *surface,
stream_ret->id = 0;
if (image->format == CAIRO_FORMAT_A1)
alpha_size = (image->height * image->width + 7)/8;
else
if (image->format == CAIRO_FORMAT_A1) {
alpha_size = ((image->width+7) / 8) * image->height;
alpha = _cairo_malloc_ab ((image->width+7) / 8, image->height);
} else {
alpha_size = image->height * image->width;
alpha = malloc (alpha_size);
alpha = _cairo_malloc_ab (image->height, image->width);
}
if (alpha == NULL) {
status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
goto CLEANUP;
@ -1420,7 +1430,7 @@ _cairo_pdf_surface_emit_image (cairo_pdf_surface_t *surface,
image->format == CAIRO_FORMAT_A1);
rgb_size = image->height * image->width * 3;
rgb = malloc (rgb_size);
rgb = _cairo_malloc_abc (image->width, image->height, 3);
if (rgb == NULL) {
status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
goto CLEANUP;

4
src/cairo-ps-surface.c
View file

@ -2095,7 +2095,7 @@ _cairo_ps_surface_emit_image (cairo_ps_surface_t *surface,
}
rgb_size = 3 * image->width * image->height;
rgb = malloc (rgb_size);
rgb = _cairo_malloc_abc (image->width, image->height, 3);
if (rgb == NULL) {
status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
goto bail1;
@ -2103,7 +2103,7 @@ _cairo_ps_surface_emit_image (cairo_ps_surface_t *surface,
if (use_mask) {
mask_size = ((image->width+7) / 8) * image->height;
mask = malloc (mask_size);
mask = _cairo_malloc_ab ((image->width+7) / 8, image->height);
if (mask == NULL) {
status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
goto bail2;