diff -C 3 -r xpdf-3.00-orig/xpdf/Gfx.cc xpdf-3.00/xpdf/Gfx.cc *** xpdf-3.00-orig/xpdf/Gfx.cc 2004-01-22 02:26:45.000000000 +0100 --- xpdf-3.00/xpdf/Gfx.cc 2005-04-05 22:35:04.771063368 +0200 *************** *** 2654,2660 **** haveMask = gFalse; dict->lookup("Mask", &maskObj); if (maskObj.isArray()) { ! for (i = 0; i < maskObj.arrayGetLength(); ++i) { maskObj.arrayGet(i, &obj1); maskColors[i] = obj1.getInt(); obj1.free(); --- 2654,2662 ---- haveMask = gFalse; dict->lookup("Mask", &maskObj); if (maskObj.isArray()) { ! for (i = 0; ! i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps; ! ++i) { maskObj.arrayGet(i, &obj1); maskColors[i] = obj1.getInt(); obj1.free(); diff -C 3 -r xpdf-3.00-orig/xpdf/GfxState.cc xpdf-3.00/xpdf/GfxState.cc *** xpdf-3.00-orig/xpdf/GfxState.cc 2004-01-22 02:26:45.000000000 +0100 --- xpdf-3.00/xpdf/GfxState.cc 2005-04-05 22:35:04.772063216 +0200 *************** *** 708,713 **** --- 708,718 ---- } nCompsA = obj2.getInt(); obj2.free(); + if (nCompsA > gfxColorMaxComps) { + error(-1, "ICCBased color space with too many (%d > %d) components", + nCompsA, gfxColorMaxComps); + nCompsA = gfxColorMaxComps; + } if (dict->lookup("Alternate", &obj2)->isNull() || !(altA = GfxColorSpace::parse(&obj2))) { switch (nCompsA) { *************** *** 1054,1060 **** } nCompsA = obj1.arrayGetLength(); if (nCompsA > gfxColorMaxComps) { ! error(-1, "DeviceN color space with more than %d > %d components", nCompsA, gfxColorMaxComps); nCompsA = gfxColorMaxComps; } --- 1059,1065 ---- } nCompsA = obj1.arrayGetLength(); if (nCompsA > gfxColorMaxComps) { ! error(-1, "DeviceN color space with too many (%d > %d) components", nCompsA, gfxColorMaxComps); nCompsA = gfxColorMaxComps; } diff -C 3 -r xpdf-3.00-orig/xpdf/pdfimages.cc xpdf-3.00/xpdf/pdfimages.cc *** xpdf-3.00-orig/xpdf/pdfimages.cc 2004-01-22 02:26:45.000000000 +0100 --- xpdf-3.00/xpdf/pdfimages.cc 2005-04-05 22:36:01.910376872 +0200 *************** *** 118,130 **** goto err1; } - // check for copy permission - if (!doc->okToCopy()) { - error(-1, "Copying of images from this document is not allowed."); - exitCode = 3; - goto err1; - } - // get page range if (firstPage < 1) firstPage = 1; --- 118,123 ---- diff -C 3 -r xpdf-3.00-orig/xpdf/pdftotext.cc xpdf-3.00/xpdf/pdftotext.cc *** xpdf-3.00-orig/xpdf/pdftotext.cc 2004-01-22 02:26:45.000000000 +0100 --- xpdf-3.00/xpdf/pdftotext.cc 2005-04-05 22:36:09.680195680 +0200 *************** *** 160,172 **** goto err2; } - // check for copy permission - if (!doc->okToCopy()) { - error(-1, "Copying of text from this document is not allowed."); - exitCode = 3; - goto err2; - } - // construct text file name if (argc == 3) { textFileName = new GString(argv[2]); --- 160,165 ---- diff -C 3 -r xpdf-3.00-orig/xpdf/XPDFCore.cc xpdf-3.00/xpdf/XPDFCore.cc *** xpdf-3.00-orig/xpdf/XPDFCore.cc 2004-01-22 02:26:45.000000000 +0100 --- xpdf-3.00/xpdf/XPDFCore.cc 2005-04-05 22:36:37.509964912 +0200 *************** *** 1651,1658 **** core->selectYMin != core->selectYMax) { if (core->doc->okToCopy()) { core->copySelection(); - } else { - error(-1, "Copying of text from this document is not allowed."); } } #endif --- 1651,1656 ---- diff -C 3 -r xpdf-3.00-orig/xpdf/XRef.cc xpdf-3.00/xpdf/XRef.cc *** xpdf-3.00-orig/xpdf/XRef.cc 2004-01-22 02:26:45.000000000 +0100 --- xpdf-3.00/xpdf/XRef.cc 2005-04-05 22:35:06.808753592 +0200 *************** *** 96,102 **** } nObjects = obj1.getInt(); obj1.free(); ! if (nObjects == 0) { goto err1; } --- 96,102 ---- } nObjects = obj1.getInt(); obj1.free(); ! if (nObjects <= 0) { goto err1; } *************** *** 106,111 **** --- 106,114 ---- } first = obj1.getInt(); obj1.free(); + if (first < 0) { + goto err1; + } objs = new Object[nObjects]; objNums = (int *)gmalloc(nObjects * sizeof(int)); *************** *** 130,135 **** --- 133,144 ---- offsets[i] = obj2.getInt(); obj1.free(); obj2.free(); + if (objNums[i] < 0 || offsets[i] < 0 || + (i > 0 && offsets[i] < offsets[i-1])) { + delete parser; + gfree(offsets); + goto err1; + } } while (str->getChar() != EOF) ; delete parser; *************** *** 369,378 **** } n = obj.getInt(); obj.free(); if (first + n > size) { for (newSize = size ? 2 * size : 1024; ! first + n > newSize; newSize <<= 1) ; entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; --- 378,393 ---- } n = obj.getInt(); obj.free(); + if (first < 0 || n < 0 || first + n < 0) { + goto err1; + } if (first + n > size) { for (newSize = size ? 2 * size : 1024; ! first + n > newSize && newSize > 0; newSize <<= 1) ; + if (newSize < 0) { + goto err1; + } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; *************** *** 443,449 **** // check for an 'XRefStm' key if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) { ! pos2 = obj2.getInt(); readXRef(&pos2); if (!ok) { goto err1; --- 458,464 ---- // check for an 'XRefStm' key if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) { ! pos2 = (Guint)obj2.getInt(); readXRef(&pos2); if (!ok) { goto err1; *************** *** 474,479 **** --- 489,497 ---- } newSize = obj.getInt(); obj.free(); + if (newSize < 0) { + goto err1; + } if (newSize > size) { entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { *************** *** 494,499 **** --- 512,520 ---- } w[i] = obj2.getInt(); obj2.free(); + if (w[i] < 0 || w[i] > 4) { + goto err1; + } } obj.free(); *************** *** 513,525 **** } n = obj.getInt(); obj.free(); ! if (!readXRefStreamSection(xrefStr, w, first, n)) { idx.free(); goto err0; } } } else { ! if (!readXRefStreamSection(xrefStr, w, 0, size)) { idx.free(); goto err0; } --- 534,547 ---- } n = obj.getInt(); obj.free(); ! if (first < 0 || n < 0 || ! !readXRefStreamSection(xrefStr, w, first, n)) { idx.free(); goto err0; } } } else { ! if (!readXRefStreamSection(xrefStr, w, 0, newSize)) { idx.free(); goto err0; } *************** *** 551,560 **** Guint offset; int type, gen, c, newSize, i, j; if (first + n > size) { for (newSize = size ? 2 * size : 1024; ! first + n > newSize; newSize <<= 1) ; entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; --- 573,588 ---- Guint offset; int type, gen, c, newSize, i, j; + if (first + n < 0) { + return gFalse; + } if (first + n > size) { for (newSize = size ? 2 * size : 1024; ! first + n > newSize && newSize > 0; newSize <<= 1) ; + if (newSize < 0) { + return gFalse; + } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; *************** *** 585,608 **** } gen = (gen << 8) + c; } ! switch (type) { ! case 0: ! entries[i].offset = offset; ! entries[i].gen = gen; ! entries[i].type = xrefEntryFree; ! break; ! case 1: ! entries[i].offset = offset; ! entries[i].gen = gen; ! entries[i].type = xrefEntryUncompressed; ! break; ! case 2: ! entries[i].offset = offset; ! entries[i].gen = gen; ! entries[i].type = xrefEntryCompressed; ! break; ! default: ! return gFalse; } } --- 613,638 ---- } gen = (gen << 8) + c; } ! if (entries[i].offset == 0xffffffff) { ! switch (type) { ! case 0: ! entries[i].offset = offset; ! entries[i].gen = gen; ! entries[i].type = xrefEntryFree; ! break; ! case 1: ! entries[i].offset = offset; ! entries[i].gen = gen; ! entries[i].type = xrefEntryUncompressed; ! break; ! case 2: ! entries[i].offset = offset; ! entries[i].gen = gen; ! entries[i].type = xrefEntryCompressed; ! break; ! default: ! return gFalse; ! } } } *************** *** 664,701 **** // look for object } else if (isdigit(*p)) { num = atoi(p); ! do { ! ++p; ! } while (*p && isdigit(*p)); ! if (isspace(*p)) { do { ++p; ! } while (*p && isspace(*p)); ! if (isdigit(*p)) { ! gen = atoi(p); do { ++p; ! } while (*p && isdigit(*p)); ! if (isspace(*p)) { do { ++p; ! } while (*p && isspace(*p)); ! if (!strncmp(p, "obj", 3)) { ! if (num >= size) { ! newSize = (num + 1 + 255) & ~255; ! entries = (XRefEntry *) ! grealloc(entries, newSize * sizeof(XRefEntry)); ! for (i = size; i < newSize; ++i) { ! entries[i].offset = 0xffffffff; ! entries[i].type = xrefEntryFree; } - size = newSize; - } - if (entries[num].type == xrefEntryFree || - gen >= entries[num].gen) { - entries[num].offset = pos - start; - entries[num].gen = gen; - entries[num].type = xrefEntryUncompressed; } } } --- 694,737 ---- // look for object } else if (isdigit(*p)) { num = atoi(p); ! if (num > 0) { do { ++p; ! } while (*p && isdigit(*p)); ! if (isspace(*p)) { do { ++p; ! } while (*p && isspace(*p)); ! if (isdigit(*p)) { ! gen = atoi(p); do { ++p; ! } while (*p && isdigit(*p)); ! if (isspace(*p)) { ! do { ! ++p; ! } while (*p && isspace(*p)); ! if (!strncmp(p, "obj", 3)) { ! if (num >= size) { ! newSize = (num + 1 + 255) & ~255; ! if (newSize < 0) { ! error(-1, "Bad object number"); ! return gFalse; ! } ! entries = (XRefEntry *) ! grealloc(entries, newSize * sizeof(XRefEntry)); ! for (i = size; i < newSize; ++i) { ! entries[i].offset = 0xffffffff; ! entries[i].type = xrefEntryFree; ! } ! size = newSize; ! } ! if (entries[num].type == xrefEntryFree || ! gen >= entries[num].gen) { ! entries[num].offset = pos - start; ! entries[num].gen = gen; ! entries[num].type = xrefEntryUncompressed; } } } } *************** *** 757,762 **** --- 793,801 ---- } else { keyLength = 5; } + if (keyLength > 16) { + keyLength = 16; + } permFlags = permissions.getInt(); if (encVersion >= 1 && encVersion <= 2 && encRevision >= 2 && encRevision <= 3) {