Index: poppler-0.10.1/goo/gmem.cc =================================================================== --- poppler-0.10.1.orig/goo/gmem.cc +++ poppler-0.10.1/goo/gmem.cc @@ -170,14 +170,335 @@ void *grealloc(void *p, size_t size) GME #endif } -void *gmallocn(int nObjs, int objSize) GMEM_EXCEP { - int n; +SafeInt::SafeInt(const long long int cA) +{ + if (cA < -INT_MAX || INT_MAX < cA) + integer_overflow("SafeInt::SafeInt(long long): "); + c = cA; +} - if (nObjs == 0) { +SafeInt::SafeInt() +{ } + +SafeInt::SafeInt(const SafeInt& copy): c(copy.c) +{ } + +SafeInt SafeInt::create(const long long int cA) +{ + return SafeInt(cA); +} + +int SafeInt::Int(void) const +{ + return c; +} + +void SafeInt::integer_overflow(const char * prefix) +{ + fprintf(stderr, "error: %sinteger overflow", prefix); + exit (1); +} + +void SafeInt::division_by_zero(const char * prefix) +{ + fprintf(stderr, "error: %sdivide by zero", prefix); + exit(1); +} + +void SafeInt::shift_is_negative(const char * prefix) +{ + fprintf(stderr, "warning: %sbitwise shift amount is negative", prefix); +} + +SafeInt& SafeInt::operator=(const int& cA) +{ + *this = SafeInt(cA); + return *this; +} + +bool SafeInt::operator==(const SafeInt& right) const +{ + return c == right.c; +} + +bool SafeInt::operator!=(const SafeInt& right) const +{ + return c != right.c; +} + +bool SafeInt::operator<(const SafeInt& right) const +{ + return c < right.c; +} + +bool SafeInt::operator<=(const SafeInt& right) const +{ + return c <= right.c; +} + +bool SafeInt::operator>(const SafeInt& right) const +{ + return c > right.c; +} + +bool SafeInt::operator>=(const SafeInt& right) const +{ + return c >= right.c; +} + +bool SafeInt::operator==(const int& right) const +{ + return c == right; +} + +bool SafeInt::operator!=(const int& right) const +{ + return c != right; +} + +bool SafeInt::operator<(const int& right) const +{ + return c < right; +} + +bool SafeInt::operator<=(const int& right) const +{ + return c <= right; +} + +bool SafeInt::operator>(const int& right) const +{ + return c > right; +} + +bool SafeInt::operator>=(const int& right) const +{ + return c >= right; +} + +bool operator==(const int& left, const SafeInt& right) +{ + return left == right.c; +} + +bool operator!=(const int& left, const SafeInt& right) +{ + return left != right.c; +} + +bool operator<(const int& left, const SafeInt& right) +{ + return left < right.c; +} + +bool operator<=(const int& left, const SafeInt& right) +{ + return left <= right.c; +} + +bool operator>(const int& left, const SafeInt& right) +{ + return left > right.c; +} + +bool operator>=(const int& left, const SafeInt& right) +{ + return left >= right.c; +} + +SafeInt SafeInt::operator+() const +{ + return SafeInt(*this); +} + +SafeInt SafeInt::operator+(const SafeInt& right) const +{ + if (c*right.c > 0 && + ((c > 0 && c > INT_MAX - right.c) || + (c < 0 && c < -INT_MAX - right.c))) + integer_overflow("SafeInt::operator+(): "); + return SafeInt(c + right.c); +} + +SafeInt SafeInt::operator-() const +{ + return SafeInt(-c); +} + +SafeInt SafeInt::operator-(const SafeInt& right) const +{ + return *this + (-right); +} + +SafeInt SafeInt::operator*(const SafeInt& right) const +{ + if (right.c != 0 && c*right.c/right.c != c) + integer_overflow("SafeInt::operator*(): "); + return SafeInt(c * right.c); +} + +SafeInt SafeInt::operator/(const SafeInt& right) const +{ + return SafeInt(c / right.c); +} + +SafeInt SafeInt::operator%(const SafeInt& right) const +{ + return SafeInt(c % right.c); +} + +SafeInt SafeInt::operator/(const int& right) const +{ + if (right == 0) + division_by_zero("SafeInt::operator/(): "); + return SafeInt(c / right); +} + +SafeInt SafeInt::operator%(const int& right) const +{ + return SafeInt(c % right); +} + +SafeInt& SafeInt::operator+=(const SafeInt& right) +{ + *this = *this + right; + return *this; +} + +SafeInt& SafeInt::operator-=(const SafeInt& right) +{ + *this = *this - right; + return *this; +} + +SafeInt& SafeInt::operator*=(const SafeInt& right) +{ + *this = *this * right; + return *this; +} + +SafeInt& SafeInt::operator/=(const SafeInt& right) +{ + *this = *this / right; + return *this; +} + +SafeInt& SafeInt::operator%=(const SafeInt& right) +{ + *this = *this % right; + return *this; +} + +SafeInt& SafeInt::operator/=(const int& right) +{ + *this = *this / right; + return *this; +} + +SafeInt& SafeInt::operator%=(const int& right) +{ + *this = *this % right; + return *this; +} + +SafeInt& SafeInt::operator++() +{ + *this += one; + return *this; +} + +SafeInt SafeInt::operator++(int) +{ + SafeInt res(*this); + *this += one; + return res; +} + +SafeInt& SafeInt::operator--() +{ + *this -= one; + return *this; +} + +SafeInt SafeInt::operator--(int) +{ + SafeInt res(*this); + *this -= one; + return res; +} + +SafeInt operator+(const int& left, const SafeInt& right) +{ + return SafeInt(left) + right; +} + +SafeInt operator-(const int& left, const SafeInt& right) +{ + return SafeInt(left) - right; +} + +SafeInt operator*(const int& left, const SafeInt& right) +{ + return SafeInt(left) * right; +} + +SafeInt operator/(const int& left, const SafeInt& right) +{ + return SafeInt(left) / right; +} + +SafeInt operator%(const int& left, const SafeInt& right) +{ + return SafeInt(left) % right; +} + +SafeInt SafeInt::operator<<(const int offset) +{ + if (offset < 0) + { + shift_is_negative("SafeInt::operator<<(): "); + return *this >> -offset; + } + + if ((c & (-1 << (sizeof(c)*8 - offset))) != 0) + integer_overflow("SafeInt::operator<<(): "); + return SafeInt(c << offset); +} + +SafeInt SafeInt::operator>>(const int offset) +{ + if (offset < 0) + { + shift_is_negative("SafeInt::operator>>(): "); + return *this << -offset; + } + + return SafeInt(c >> offset); +} + +SafeInt& SafeInt::operator<<=(const int offset) +{ + *this = *this << offset; + return *this; +} + +SafeInt& SafeInt::operator>>=(const int offset) +{ + *this = *this >> offset; + return *this; +} + +const SafeInt SafeInt::zero = SafeInt(0); +const SafeInt SafeInt::one = SafeInt(1); + +void *gmallocn(SafeInt nObjs, SafeInt objSize) GMEM_EXCEP { + SafeInt n; + + if (nObjs == SafeInt::create(0)) { return NULL; } n = nObjs * objSize; - if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { + if (objSize <= SafeInt::create(0) || nObjs < SafeInt::create(0)) { #if USE_EXCEPTIONS throw GMemException(); #else @@ -185,17 +506,17 @@ void *gmallocn(int nObjs, int objSize) G exit(1); #endif } - return gmalloc(n); + return gmalloc(n.Int()); } -void *gmallocn_checkoverflow(int nObjs, int objSize) GMEM_EXCEP { - int n; +void *gmallocn_checkoverflow(SafeInt nObjs, SafeInt objSize) GMEM_EXCEP { + SafeInt n; if (nObjs == 0) { return NULL; } n = nObjs * objSize; - if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { + if (objSize <= SafeInt::create(0) || nObjs < SafeInt::create(0)) { #if USE_EXCEPTIONS throw GMemException(); #else @@ -203,7 +524,7 @@ void *gmallocn_checkoverflow(int nObjs, return NULL; #endif } - return gmalloc(n); + return gmalloc(n.Int()); } inline static void *gmallocn3(int a, int b, int c, bool checkoverflow) GMEM_EXCEP { @@ -229,17 +550,17 @@ void *gmallocn3_checkoverflow(int a, int return gmallocn3(a, b, c, true); } -void *greallocn(void *p, int nObjs, int objSize) GMEM_EXCEP { - int n; +void *greallocn(void *p, SafeInt nObjs, SafeInt objSize) GMEM_EXCEP { + SafeInt n; - if (nObjs == 0) { + if (nObjs == SafeInt::create(0)) { if (p) { gfree(p); } return NULL; } n = nObjs * objSize; - if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { + if (objSize <= SafeInt::create(0) || nObjs < SafeInt::create(0)) { #if USE_EXCEPTIONS throw GMemException(); #else @@ -247,20 +568,20 @@ void *greallocn(void *p, int nObjs, int exit(1); #endif } - return grealloc(p, n); + return grealloc(p, n.Int()); } -void *greallocn_checkoverflow(void *p, int nObjs, int objSize) GMEM_EXCEP { - int n; +void *greallocn_checkoverflow(void *p, SafeInt nObjs, SafeInt objSize) GMEM_EXCEP { + SafeInt n; - if (nObjs == 0) { + if (nObjs == SafeInt::create(0)) { if (p) { gfree(p); } return NULL; } n = nObjs * objSize; - if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { + if (objSize <= SafeInt::create(0) || nObjs < SafeInt::create(0)) { #if USE_EXCEPTIONS throw GMemException(); #else @@ -268,7 +589,7 @@ void *greallocn_checkoverflow(void *p, i return NULL; #endif } - return grealloc(p, n); + return grealloc(p, n.Int()); } void gfree(void *p) { Index: poppler-0.10.1/goo/gmem.h =================================================================== --- poppler-0.10.1.orig/goo/gmem.h +++ poppler-0.10.1/goo/gmem.h @@ -44,6 +44,98 @@ public: #endif // USE_EXCEPTIONS +class SafeInt +{ + int c; + +public: + SafeInt(); + SafeInt(const SafeInt& copy); + SafeInt(const long long int cA); + static SafeInt create(const long long int cA); + int Int(void) const; + + const static SafeInt zero; + const static SafeInt one; + + static void integer_overflow(const char * prefix = NULL); + static void division_by_zero(const char * prefix = NULL); + static void shift_is_negative(const char * prefix = NULL); + + SafeInt& operator=(const int& cA); + + bool operator==(const SafeInt& right) const; + bool operator!=(const SafeInt& right) const; + bool operator<(const SafeInt& right) const; + bool operator<=(const SafeInt& right) const; + bool operator >(const SafeInt& right) const; + bool operator >=(const SafeInt& right) const; + + bool operator==(const int& right) const; + bool operator!=(const int& right) const; + bool operator<(const int& right) const; + bool operator<=(const int& right) const; + bool operator >(const int& right) const; + bool operator >=(const int& right) const; + + friend bool operator ==(const int &left, const SafeInt& right); + friend bool operator !=(const int &left, const SafeInt& right); + friend bool operator <(const int &left, const SafeInt& right); + friend bool operator <=(const int &left, const SafeInt& right); + friend bool operator >(const int &left, const SafeInt& right); + friend bool operator >=(const int &left, const SafeInt& right); + + SafeInt operator+() const; + SafeInt operator+(const SafeInt& right) const; + SafeInt operator-() const; + SafeInt operator-(const SafeInt& right) const; + SafeInt operator*(const SafeInt& right) const; + SafeInt operator/(const SafeInt& right) const; + SafeInt operator%(const SafeInt& right) const; + + SafeInt operator/(const int& right) const; + SafeInt operator%(const int& right) const; + + SafeInt& operator+=(const SafeInt& right); + SafeInt& operator-=(const SafeInt& right); + SafeInt& operator*=(const SafeInt& right); + SafeInt& operator/=(const SafeInt& right); + SafeInt& operator%=(const SafeInt& right); + + SafeInt& operator/=(const int& right); + SafeInt& operator%=(const int& right); + + friend SafeInt operator+(const int& left, const SafeInt& right); + friend SafeInt operator-(const int& left, const SafeInt& right); + friend SafeInt operator*(const int& left, const SafeInt& right); + friend SafeInt operator/(const int& left, const SafeInt& right); + friend SafeInt operator%(const int& left, const SafeInt& right); + + SafeInt& operator++(); + SafeInt operator++(int); + SafeInt& operator--(); + SafeInt operator--(int); + + SafeInt operator<<(const int offset); + SafeInt operator>>(const int offset); + + SafeInt& operator<<=(const int offset); + SafeInt& operator>>=(const int offset); +}; + +bool operator==(const int& left, const SafeInt& right); +bool operator!=(const int& left, const SafeInt& right); +bool operator<(const int& left, const SafeInt& right); +bool operator<=(const int& left, const SafeInt& right); +bool operator>(const int& left, const SafeInt& right); +bool operator>=(const int& left, const SafeInt& right); + +SafeInt operator+(const int& left, const SafeInt& right); +SafeInt operator-(const int& left, const SafeInt& right); +SafeInt operator*(const int& left, const SafeInt& right); +SafeInt operator/(const int& left, const SafeInt& right); +SafeInt operator%(const int& left, const SafeInt& right); + #ifdef __cplusplus extern "C" { #endif @@ -68,12 +160,12 @@ extern void *grealloc(void *p, size_t si * The gmallocn_checkoverflow variant returns NULL instead of exiting * the application if a overflow is detected */ -extern void *gmallocn(int nObjs, int objSize) GMEM_EXCEP; -extern void *gmallocn_checkoverflow(int nObjs, int objSize) GMEM_EXCEP; +extern void *gmallocn(SafeInt nObjs, SafeInt objSize) GMEM_EXCEP; +extern void *gmallocn_checkoverflow(SafeInt nObjs, SafeInt objSize) GMEM_EXCEP; extern void *gmallocn3(int a, int b, int c) GMEM_EXCEP; extern void *gmallocn3_checkoverflow(int a, int b, int c) GMEM_EXCEP; -extern void *greallocn(void *p, int nObjs, int objSize) GMEM_EXCEP; -extern void *greallocn_checkoverflow(void *p, int nObjs, int objSize) GMEM_EXCEP; +extern void *greallocn(void *p, SafeInt nObjs, SafeInt objSize) GMEM_EXCEP; +extern void *greallocn_checkoverflow(void *p, SafeInt nObjs, SafeInt objSize) GMEM_EXCEP; /* * Same as free, but checks for and ignores NULL pointers. Index: poppler-0.10.1/fofi/FoFiTrueType.cc =================================================================== --- poppler-0.10.1.orig/fofi/FoFiTrueType.cc +++ poppler-0.10.1/fofi/FoFiTrueType.cc @@ -444,7 +444,7 @@ int FoFiTrueType::mapNameToGID(char *nam return nameToGID->lookupInt(name); } -Gushort *FoFiTrueType::getCIDToGIDMap(int *nCIDs) { +Gushort *FoFiTrueType::getCIDToGIDMap(SafeInt *nCIDs) { FoFiType1C *ff; Gushort *map; int i; @@ -552,7 +552,7 @@ void FoFiTrueType::convertToType1(char * } void FoFiTrueType::convertToCIDType2(char *psName, - Gushort *cidMap, int nCIDs, + Gushort *cidMap, SafeInt nCIDs, GBool needVerticalMetrics, FoFiOutputFunc outputFunc, void *outputStream) { @@ -586,7 +586,7 @@ void FoFiTrueType::convertToCIDType2(cha (*outputFunc)(outputStream, " end def\n", 10); (*outputFunc)(outputStream, "/GDBytes 2 def\n", 15); if (cidMap) { - buf = GooString::format("/CIDCount {0:d} def\n", nCIDs); + buf = GooString::format("/CIDCount {0:d} def\n", nCIDs.Int()); (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); delete buf; if (nCIDs > 32767) { @@ -625,13 +625,13 @@ void FoFiTrueType::convertToCIDType2(cha } } else { // direct mapping - just fill the string(s) with s[i]=i - buf = GooString::format("/CIDCount {0:d} def\n", nGlyphs); + buf = GooString::format("/CIDCount {0:d} def\n", nGlyphs.Int()); (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); delete buf; if (nGlyphs > 32767) { (*outputFunc)(outputStream, "/CIDMap [\n", 10); for (i = 0; i < nGlyphs; i += 32767) { - j = nGlyphs - i < 32767 ? nGlyphs - i : 32767; + j = nGlyphs.Int() - i < 32767 ? nGlyphs.Int() - i : 32767; buf = GooString::format(" {0:d} string 0 1 {1:d} {{\n", 2 * j, j - 1); (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); delete buf; @@ -647,10 +647,10 @@ void FoFiTrueType::convertToCIDType2(cha } (*outputFunc)(outputStream, "] def\n", 6); } else { - buf = GooString::format("/CIDMap {0:d} string\n", 2 * nGlyphs); + buf = GooString::format("/CIDMap {0:d} string\n", 2 * nGlyphs.Int()); (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); delete buf; - buf = GooString::format(" 0 1 {0:d} {{\n", nGlyphs - 1); + buf = GooString::format(" 0 1 {0:d} {{\n", nGlyphs.Int() - 1); (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); delete buf; (*outputFunc)(outputStream, @@ -702,7 +702,7 @@ void FoFiTrueType::convertToCIDType0(cha delete ff; } -void FoFiTrueType::convertToType0(char *psName, Gushort *cidMap, int nCIDs, +void FoFiTrueType::convertToType0(char *psName, Gushort *cidMap, SafeInt nCIDs, GBool needVerticalMetrics, FoFiOutputFunc outputFunc, void *outputStream) { @@ -720,7 +720,7 @@ void FoFiTrueType::convertToType0(char * delete sfntsName; // write the descendant Type 42 fonts - n = cidMap ? nCIDs : nGlyphs; + n = cidMap ? nCIDs.Int() : nGlyphs.Int(); for (i = 0; i < n; i += 256) { (*outputFunc)(outputStream, "10 dict begin\n", 14); (*outputFunc)(outputStream, "/FontName /", 11); @@ -884,12 +884,13 @@ void FoFiTrueType::writeTTF(FoFiOutputFu }; GBool missingCmap, missingName, missingPost, missingOS2; GBool unsortedLoca, badCmapLen, abbrevHMTX; - int nZeroLengthTables; + SafeInt nZeroLengthTables; int nHMetrics, advWidth, lsb; TrueTypeLoca *locaTable; TrueTypeTable *newTables; char *newNameTab, *newCmapTab, *newHHEATab, *newHMTXTab; - int nNewTables, cmapIdx, cmapLen, glyfLen, newNameLen, newCmapLen, next; + SafeInt nNewTables; + int cmapIdx, cmapLen, glyfLen, newNameLen, newCmapLen, next; int newHHEALen, newHMTXLen; Guint locaChecksum, glyfChecksum, fileChecksum; char *tableDir; @@ -918,7 +919,7 @@ void FoFiTrueType::writeTTF(FoFiOutputFu missingOS2 = seekTable("OS/2") < 0; // read the loca table, check to see if it's sorted - locaTable = (TrueTypeLoca *)gmallocn(nGlyphs + 1, sizeof(TrueTypeLoca)); + locaTable = (TrueTypeLoca *)gmallocn(nGlyphs + SafeInt(1), sizeof(TrueTypeLoca)); unsortedLoca = gFalse; i = seekTable("loca"); pos = tables[i].offset; @@ -997,13 +998,13 @@ void FoFiTrueType::writeTTF(FoFiOutputFu // the same pos value remain in the same order) glyfLen = 0; // make gcc happy if (unsortedLoca) { - qsort(locaTable, nGlyphs + 1, sizeof(TrueTypeLoca), + qsort(locaTable, nGlyphs.Int() + 1, sizeof(TrueTypeLoca), &cmpTrueTypeLocaOffset); for (i = 0; i < nGlyphs; ++i) { locaTable[i].len = locaTable[i+1].origOffset - locaTable[i].origOffset; } - locaTable[nGlyphs].len = 0; - qsort(locaTable, nGlyphs + 1, sizeof(TrueTypeLoca), + locaTable[nGlyphs.Int()].len = 0; + qsort(locaTable, nGlyphs.Int() + 1, sizeof(TrueTypeLoca), &cmpTrueTypeLocaIdx); pos = 0; for (i = 0; i <= nGlyphs; ++i) { @@ -1046,7 +1047,7 @@ void FoFiTrueType::writeTTF(FoFiOutputFu // construct the new name table if (name) { n = strlen(name); - newNameLen = (6 + 4*12 + 2 * (3*n + 7) + 3) & ~3; + newNameLen = (6 + 4*12 + 2 * (3*SafeInt(n) + 7) + 3).Int() & ~3; newNameTab = (char *)gmalloc(newNameLen); memset(newNameTab, 0, newNameLen); newNameTab[0] = 0; // format selector @@ -1151,11 +1152,11 @@ void FoFiTrueType::writeTTF(FoFiOutputFu for (i = 0; i < newHHEALen; ++i) { newHHEATab[i] = getU8(pos++, &ok); } - newHHEATab[34] = nGlyphs >> 8; - newHHEATab[35] = nGlyphs & 0xff; + newHHEATab[34] = nGlyphs.Int() >> 8; + newHHEATab[35] = nGlyphs.Int() & 0xff; i = seekTable("hmtx"); pos = tables[i].offset; - newHMTXLen = 4 * nGlyphs; + newHMTXLen = (4 * nGlyphs).Int(); newHMTXTab = (char *)gmalloc(newHMTXLen); advWidth = 0; for (i = 0; i < nHMetrics; ++i) { @@ -1211,7 +1212,7 @@ void FoFiTrueType::writeTTF(FoFiOutputFu } else if (newTables[j].tag == cmapTag && badCmapLen) { newTables[j].len = cmapLen; } else if (newTables[j].tag == locaTag && unsortedLoca) { - newTables[j].len = (nGlyphs + 1) * (locaFmt ? 4 : 2); + newTables[j].len = (nGlyphs.Int() + 1) * (locaFmt ? 4 : 2); newTables[j].checksum = locaChecksum; } else if (newTables[j].tag == glyfTag && unsortedLoca) { newTables[j].len = glyfLen; @@ -1272,9 +1273,9 @@ void FoFiTrueType::writeTTF(FoFiOutputFu newTables[j].len = sizeof(os2Tab); ++j; } - qsort(newTables, nNewTables, sizeof(TrueTypeTable), + qsort(newTables, nNewTables.Int(), sizeof(TrueTypeTable), &cmpTrueTypeTableTag); - pos = 12 + nNewTables * 16; + pos = 12 + nNewTables.Int() * 16; for (i = 0; i < nNewTables; ++i) { newTables[i].offset = pos; pos += newTables[i].len; @@ -1284,20 +1285,20 @@ void FoFiTrueType::writeTTF(FoFiOutputFu } // write the table directory - tableDir = (char *)gmalloc(12 + nNewTables * 16); + tableDir = (char *)gmalloc((SafeInt(12) + nNewTables * SafeInt(16)).Int()); tableDir[0] = 0x00; // sfnt version tableDir[1] = 0x01; tableDir[2] = 0x00; tableDir[3] = 0x00; - tableDir[4] = (char)((nNewTables >> 8) & 0xff); // numTables - tableDir[5] = (char)(nNewTables & 0xff); - for (i = -1, t = (Guint)nNewTables; t; ++i, t >>= 1) ; + tableDir[4] = (char)((nNewTables.Int() >> 8) & 0xff); // numTables + tableDir[5] = (char)(nNewTables.Int() & 0xff); + for (i = -1, t = (Guint)nNewTables.Int(); t; ++i, t >>= 1) ; t = 1 << (4 + i); tableDir[6] = (char)((t >> 8) & 0xff); // searchRange tableDir[7] = (char)(t & 0xff); tableDir[8] = (char)((i >> 8) & 0xff); // entrySelector tableDir[9] = (char)(i & 0xff); - t = nNewTables * 16 - t; + t = nNewTables.Int() * 16 - t; tableDir[10] = (char)((t >> 8) & 0xff); // rangeShift tableDir[11] = (char)(t & 0xff); pos = 12; @@ -1320,11 +1321,11 @@ void FoFiTrueType::writeTTF(FoFiOutputFu tableDir[pos+15] = (char) newTables[i].len; pos += 16; } - (*outputFunc)(outputStream, tableDir, 12 + nNewTables * 16); + (*outputFunc)(outputStream, tableDir, 12 + nNewTables.Int() * 16); // compute the file checksum fileChecksum = computeTableChecksum((Guchar *)tableDir, - 12 + nNewTables * 16); + 12 + nNewTables.Int() * 16); for (i = 0; i < nNewTables; ++i) { fileChecksum += newTables[i].checksum; } @@ -1512,7 +1513,7 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFu Guchar tableDir[12 + nT42Tables*16]; GBool ok; Guint checksum; - int nNewTables; + SafeInt nNewTables; int length, pos, glyfPos, i, j, k; Guchar vheaTab[36] = { 0, 1, 0, 0, // table version number @@ -1553,7 +1554,7 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFu // table, cmpTrueTypeLocaPos uses offset as its primary sort key, // and idx as its secondary key (ensuring that adjacent entries with // the same pos value remain in the same order) - locaTable = (TrueTypeLoca *)gmallocn(nGlyphs + 1, sizeof(TrueTypeLoca)); + locaTable = (TrueTypeLoca *)gmallocn(nGlyphs + SafeInt(1), sizeof(TrueTypeLoca)); i = seekTable("loca"); pos = tables[i].offset; ok = gTrue; @@ -1565,13 +1566,13 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFu locaTable[i].origOffset = 2 * getU16BE(pos + i*2, &ok); } } - qsort(locaTable, nGlyphs + 1, sizeof(TrueTypeLoca), + qsort(locaTable, nGlyphs.Int() + 1, sizeof(TrueTypeLoca), &cmpTrueTypeLocaOffset); for (i = 0; i < nGlyphs; ++i) { locaTable[i].len = locaTable[i+1].origOffset - locaTable[i].origOffset; } - locaTable[nGlyphs].len = 0; - qsort(locaTable, nGlyphs + 1, sizeof(TrueTypeLoca), + locaTable[nGlyphs.Int()].len = 0; + qsort(locaTable, nGlyphs.Int() + 1, sizeof(TrueTypeLoca), &cmpTrueTypeLocaIdx); pos = 0; for (i = 0; i <= nGlyphs; ++i) { @@ -1583,7 +1584,7 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFu } // construct the new 'loca' table - locaData = (Guchar *)gmallocn(nGlyphs + 1, (locaFmt ? 4 : 2)); + locaData = (Guchar *)gmallocn(nGlyphs + SafeInt(1), (locaFmt ? 4 : 2)); for (i = 0; i <= nGlyphs; ++i) { pos = locaTable[i].newOffset; if (locaFmt) { @@ -1624,7 +1625,7 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFu // construct the new table headers, including table checksums // (pad each table out to a multiple of 4 bytes) - pos = 12 + nNewTables*16; + pos = 12 + nNewTables.Int()*16; k = 0; for (i = 0; i < nT42Tables; ++i) { length = -1; @@ -1633,7 +1634,7 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFu length = 54; checksum = computeTableChecksum(headData, 54); } else if (i == t42LocaTable) { - length = (nGlyphs + 1) * (locaFmt ? 4 : 2); + length = (nGlyphs.Int() + 1) * (locaFmt ? 4 : 2); checksum = computeTableChecksum(locaData, length); } else if (i == t42GlyfTable) { length = 0; @@ -1662,7 +1663,7 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFu length = sizeof(vheaTab); checksum = computeTableChecksum(vheaTab, length); } else if (needVerticalMetrics && i == t42VmtxTable) { - length = 4 + (nGlyphs - 1) * 4; + length = (4 + (nGlyphs - 1) * 4).Int(); vmtxTab = (Guchar *)gmalloc(length); vmtxTab[0] = advance / 256; vmtxTab[1] = advance % 256; @@ -1700,13 +1701,13 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFu tableDir[2] = 0x00; tableDir[3] = 0x00; tableDir[4] = 0; // numTables - tableDir[5] = nNewTables; + tableDir[5] = nNewTables.Int(); tableDir[6] = 0; // searchRange tableDir[7] = (Guchar)128; tableDir[8] = 0; // entrySelector tableDir[9] = 3; tableDir[10] = 0; // rangeShift - tableDir[11] = (Guchar)(16 * nNewTables - 128); + tableDir[11] = (Guchar)(16 * nNewTables.Int() - 128); pos = 12; for (i = 0; i < nNewTables; ++i) { tableDir[pos ] = (Guchar)(newTables[i].tag >> 24); @@ -1729,7 +1730,7 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFu } // compute the font checksum and store it in the head table - checksum = computeTableChecksum(tableDir, 12 + nNewTables*16); + checksum = computeTableChecksum(tableDir, 12 + nNewTables.Int()*16); for (i = 0; i < nNewTables; ++i) { checksum += newTables[i].checksum; } @@ -1749,14 +1750,14 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFu } // write the table directory - dumpString(tableDir, 12 + nNewTables*16, outputFunc, outputStream); + dumpString(tableDir, 12 + nNewTables.Int()*16, outputFunc, outputStream); // write the tables for (i = 0; i < nNewTables; ++i) { if (i == t42HeadTable) { dumpString(headData, 54, outputFunc, outputStream); } else if (i == t42LocaTable) { - length = (nGlyphs + 1) * (locaFmt ? 4 : 2); + length = (nGlyphs.Int() + 1) * (locaFmt ? 4 : 2); dumpString(locaData, length, outputFunc, outputStream); } else if (i == t42GlyfTable) { glyfPos = tables[seekTable("glyf")].offset; @@ -1980,7 +1981,7 @@ void FoFiTrueType::parse() { parsedOk = gFalse; return; } - if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) { + if (tables[i].len < (nGlyphs.Int() + 1) * (locaFmt ? 4 : 2)) { nGlyphs = tables[i].len / (locaFmt ? 4 : 2) - 1; } for (j = 0; j <= nGlyphs; ++j) { @@ -2029,7 +2030,7 @@ void FoFiTrueType::readPostTable() { goto err; } if (n > nGlyphs) { - n = nGlyphs; + n = nGlyphs.Int(); } stringIdx = 0; stringPos = tablePos + 34 + 2*n; Index: poppler-0.10.1/fofi/FoFiTrueType.h =================================================================== --- poppler-0.10.1.orig/fofi/FoFiTrueType.h +++ poppler-0.10.1/fofi/FoFiTrueType.h @@ -83,7 +83,7 @@ public: // Return the mapping from CIDs to GIDs, and return the number of // CIDs in *. This is only useful for CID fonts. (Only // useful for OpenType CFF fonts.) - Gushort *getCIDToGIDMap(int *nCIDs); + Gushort *getCIDToGIDMap(SafeInt *nCIDs); // Returns the least restrictive embedding licensing right (as // defined by the TrueType spec): @@ -120,7 +120,7 @@ public: // name (so we don't need to depend on the 'name' table in the // font). The array maps CIDs to GIDs; it has // entries. (Not useful for OpenType CFF fonts.) - void convertToCIDType2(char *psName, Gushort *cidMap, int nCIDs, + void convertToCIDType2(char *psName, Gushort *cidMap, SafeInt nCIDs, GBool needVerticalMetrics, FoFiOutputFunc outputFunc, void *outputStream); @@ -135,7 +135,7 @@ public: // PostScript font name (so we don't need to depend on the 'name' // table in the font). The array maps CIDs to GIDs; it has // entries. (Not useful for OpenType CFF fonts.) - void convertToType0(char *psName, Gushort *cidMap, int nCIDs, + void convertToType0(char *psName, Gushort *cidMap, SafeInt nCIDs, GBool needVerticalMetrics, FoFiOutputFunc outputFunc, void *outputStream); @@ -182,10 +182,10 @@ private: int checkGIDInCoverage(Guint coverage, Guint orgGID); TrueTypeTable *tables; - int nTables; + SafeInt nTables; TrueTypeCmap *cmaps; int nCmaps; - int nGlyphs; + SafeInt nGlyphs; int locaFmt; int bbox[4]; GooHash *nameToGID; Index: poppler-0.10.1/fofi/FoFiType1C.cc =================================================================== --- poppler-0.10.1.orig/fofi/FoFiType1C.cc +++ poppler-0.10.1/fofi/FoFiType1C.cc @@ -101,9 +101,10 @@ char **FoFiType1C::getEncoding() { return encoding; } -Gushort *FoFiType1C::getCIDToGIDMap(int *nCIDs) { +Gushort *FoFiType1C::getCIDToGIDMap(SafeInt *nCIDs) { Gushort *map; - int n, i; + SafeInt n; + int i; // a CID font's top dict has ROS as the first operator if (topDict.firstOp != 0x0c1e) { @@ -121,7 +122,7 @@ Gushort *FoFiType1C::getCIDToGIDMap(int } ++n; map = (Gushort *)gmallocn(n, sizeof(Gushort)); - memset(map, 0, n * sizeof(Gushort)); + memset(map, 0, n.Int() * sizeof(Gushort)); for (i = 0; i < nGlyphs; ++i) { map[charset[i]] = i; } @@ -437,7 +438,8 @@ void FoFiType1C::convertToCIDType0(char int *charStringOffsets; Type1CIndex subrIdx; Type1CIndexVal val; - int nCIDs, gdBytes; + SafeInt nCIDs; + int gdBytes; GooString *buf; char buf2[256]; GBool ok; @@ -460,7 +462,7 @@ void FoFiType1C::convertToCIDType0(char // build the charstrings charStrings = new GooString(); - charStringOffsets = (int *)gmallocn(nCIDs + 1, sizeof(int)); + charStringOffsets = (int *)gmallocn(nCIDs + SafeInt(1), sizeof(int)); for (i = 0; i < nCIDs; ++i) { charStringOffsets[i] = charStrings->getLength(); if ((gid = cidMap[i]) >= 0) { @@ -476,13 +478,13 @@ void FoFiType1C::convertToCIDType0(char } } } - charStringOffsets[nCIDs] = charStrings->getLength(); + charStringOffsets[nCIDs.Int()] = charStrings->getLength(); // compute gdBytes = number of bytes needed for charstring offsets // (offset size needs to account for the charstring offset table, // with a worst case of five bytes per entry, plus the charstrings // themselves) - i = (nCIDs + 1) * 5 + charStrings->getLength(); + i = (nCIDs.Int() + 1) * 5 + charStrings->getLength(); if (i < 0x100) { gdBytes = 1; } else if (i < 0x10000) { @@ -547,7 +549,7 @@ void FoFiType1C::convertToCIDType0(char (*outputFunc)(outputStream, "end def\n", 8); // CIDFont-specific entries - buf = GooString::format("/CIDCount {0:d} def\n", nCIDs); + buf = GooString::format("/CIDCount {0:d} def\n", nCIDs.Int()); (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); delete buf; (*outputFunc)(outputStream, "/FDBytes 1 def\n", 15); @@ -565,7 +567,7 @@ void FoFiType1C::convertToCIDType0(char } // FDArray entry - buf = GooString::format("/FDArray {0:d} array\n", nFDs); + buf = GooString::format("/FDArray {0:d} array\n", nFDs.Int()); (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); delete buf; for (i = 0; i < nFDs; ++i) { @@ -708,7 +710,7 @@ void FoFiType1C::convertToCIDType0(char (*outputFunc)(outputStream, "def\n", 4); // start the binary section - offset = (nCIDs + 1) * (1 + gdBytes); + offset = (nCIDs.Int() + 1) * (1 + gdBytes); buf = GooString::format("(Hex) {0:d} StartData\n", offset + charStrings->getLength()); (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); @@ -761,7 +763,7 @@ void FoFiType1C::convertToType0(char *ps int *cidMap; Type1CIndex subrIdx; Type1CIndexVal val; - int nCIDs; + SafeInt nCIDs; GooString *buf; Type1CEexecBuf eb; GBool ok; Index: poppler-0.10.1/fofi/FoFiType1C.h =================================================================== --- poppler-0.10.1.orig/fofi/FoFiType1C.h +++ poppler-0.10.1/fofi/FoFiType1C.h @@ -163,7 +163,7 @@ public: // Return the mapping from CIDs to GIDs, and return the number of // CIDs in *. This is only useful for CID fonts. - Gushort *getCIDToGIDMap(int *nCIDs); + Gushort *getCIDToGIDMap(SafeInt *nCIDs); // Convert to a Type 1 font, suitable for embedding in a PostScript // file. This is only useful with 8-bit fonts. If is @@ -228,7 +228,7 @@ private: Type1CPrivateDict *privateDicts; int nGlyphs; - int nFDs; + SafeInt nFDs; Guchar *fdSelect; Gushort *charset; int gsubrBias; Index: poppler-0.10.1/goo/GooHash.cc =================================================================== --- poppler-0.10.1.orig/goo/GooHash.cc +++ poppler-0.10.1/goo/GooHash.cc @@ -311,7 +311,8 @@ void GooHash::killIter(GooHashIter **ite void GooHash::expand() { GooHashBucket **oldTab; GooHashBucket *p; - int oldSize, h, i; + int h, i; + SafeInt oldSize; oldSize = size; oldTab = tab; @@ -365,7 +366,7 @@ int GooHash::hash(GooString *key) { for (p = key->getCString(), i = 0; i < key->getLength(); ++p, ++i) { h = 17 * h + (int)(*p & 0xff); } - return (int)(h % size); + return (int)(h % size.Int()); } int GooHash::hash(char *key) { @@ -376,5 +377,5 @@ int GooHash::hash(char *key) { for (p = key; *p; ++p) { h = 17 * h + (int)(*p & 0xff); } - return (int)(h % size); + return (int)(h % size.Int()); } Index: poppler-0.10.1/goo/GooHash.h =================================================================== --- poppler-0.10.1.orig/goo/GooHash.h +++ poppler-0.10.1/goo/GooHash.h @@ -53,7 +53,7 @@ private: int hash(char *key); GBool deleteKeys; // set if key strings should be deleted - int size; // number of buckets + SafeInt size; // number of buckets int len; // number of entries GooHashBucket **tab; }; Index: poppler-0.10.1/goo/GooList.cc =================================================================== --- poppler-0.10.1.orig/goo/GooList.cc +++ poppler-0.10.1/goo/GooList.cc @@ -43,7 +43,7 @@ void GooList::append(void *p) { if (length >= size) { expand(); } - data[length++] = p; + data[(length++).Int()] = p; } void GooList::append(GooList *list) { @@ -53,7 +53,7 @@ void GooList::append(GooList *list) { expand(); } for (i = 0; i < list->length; ++i) { - data[length++] = list->data[i]; + data[(length++).Int()] = list->data[i]; } } @@ -62,7 +62,7 @@ void GooList::insert(int i, void *p) { expand(); } if (i < length) { - memmove(data+i+1, data+i, (length - i) * sizeof(void *)); + memmove(data+i+1, data+i, (length.Int() - i) * sizeof(void *)); } data[i] = p; ++length; @@ -73,7 +73,7 @@ void *GooList::del(int i) { p = data[i]; if (i < length - 1) { - memmove(data+i, data+i+1, (length - i - 1) * sizeof(void *)); + memmove(data+i, data+i+1, (length.Int() - i - 1) * sizeof(void *)); } --length; if (size - length >= ((inc > 0) ? inc : size/2)) { @@ -83,7 +83,7 @@ void *GooList::del(int i) { } void GooList::sort(int (*cmp)(const void *obj1, const void *obj2)) { - qsort(data, length, sizeof(void *), cmp); + qsort(data, length.Int(), sizeof(void *), cmp); } void GooList::expand() { Index: poppler-0.10.1/goo/GooList.h =================================================================== --- poppler-0.10.1.orig/goo/GooList.h +++ poppler-0.10.1/goo/GooList.h @@ -14,6 +14,7 @@ #endif #include "gtypes.h" +#include "gmem.h" //------------------------------------------------------------------------ // GooList @@ -34,7 +35,7 @@ public: //----- general // Get the number of elements. - int getLength() { return length; } + int getLength() { return length.Int(); } //----- ordered list support @@ -74,9 +75,9 @@ private: void shrink(); void **data; // the list elements - int size; // size of data array - int length; // number of elements on list - int inc; // allocation increment + SafeInt size; // size of data array + SafeInt length; // number of elements on list + SafeInt inc; // allocation increment }; #define deleteGooList(list, T) \ Index: poppler-0.10.1/goo/GooString.cc =================================================================== --- poppler-0.10.1.orig/goo/GooString.cc +++ poppler-0.10.1/goo/GooString.cc @@ -270,7 +270,8 @@ GooString *GooString::appendf(char *fmt, GooString *GooString::appendfv(char *fmt, va_list argList) { GooStringFormatArg *args; - int argsLen, argsSize; + int argsLen; + SafeInt argsSize; GooStringFormatArg arg; int idx, width, prec; GBool reverseAlign, zeroFill; Index: poppler-0.10.1/splash/Splash.cc =================================================================== --- poppler-0.10.1.orig/splash/Splash.cc +++ poppler-0.10.1/splash/Splash.cc @@ -2005,7 +2005,7 @@ SplashError Splash::fillImageMask(Splash if (yp < 0 || yp > INT_MAX - 1) { return splashErrBadArg; } - pixBuf = (SplashColorPtr)gmallocn((yp + 1), w); + pixBuf = (SplashColorPtr)gmallocn((SafeInt(yp) + SafeInt(1)), SafeInt(w)); // initialize the pixel pipe pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha, @@ -2310,7 +2310,7 @@ SplashError Splash::drawImage(SplashImag } colorBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps); if (srcAlpha) { - alphaBuf = (Guchar *)gmalloc((yp + 1) * w); + alphaBuf = (Guchar *)gmalloc(((SafeInt(yp) + SafeInt(1)) * SafeInt(w)).Int()); } else { alphaBuf = NULL; } @@ -3327,7 +3327,7 @@ SplashPath *Splash::makeStrokePath(Splas // draw the start cap pathOut->moveTo(pathIn->pts[i].x - wdy, pathIn->pts[i].y + wdx); if (i == subpathStart) { - firstPt = pathOut->length - 1; + firstPt = pathOut->length.Int() - 1; } if (first && !closed) { switch (state->lineCap) { @@ -3362,7 +3362,7 @@ SplashPath *Splash::makeStrokePath(Splas } // draw the left side of the segment rectangle - left2 = pathOut->length - 1; + left2 = pathOut->length.Int() - 1; pathOut->lineTo(pathIn->pts[i+1].x + wdy, pathIn->pts[i+1].y - wdx); // draw the end cap @@ -3399,11 +3399,11 @@ SplashPath *Splash::makeStrokePath(Splas } // draw the right side of the segment rectangle - right2 = pathOut->length - 1; + right2 = pathOut->length.Int() - 1; pathOut->close(); // draw the join - join2 = pathOut->length; + join2 = pathOut->length.Int(); if (!last || closed) { crossprod = dx * dyNext - dy * dxNext; dotprod = -(dx * dxNext + dy * dyNext); @@ -3517,10 +3517,10 @@ SplashPath *Splash::makeStrokePath(Splas if (i >= subpathStart + 2) { pathOut->addStrokeAdjustHint(left1, right1, left0 + 1, right0); pathOut->addStrokeAdjustHint(left1, right1, - join0, pathOut->length - 1); + join0, pathOut->length.Int() - 1); } else { pathOut->addStrokeAdjustHint(left1, right1, - firstPt, pathOut->length - 1); + firstPt, pathOut->length.Int() - 1); } if (closed) { pathOut->addStrokeAdjustHint(left1, right1, firstPt, leftFirst); @@ -3529,7 +3529,7 @@ SplashPath *Splash::makeStrokePath(Splas pathOut->addStrokeAdjustHint(leftFirst, rightFirst, left1 + 1, right1); pathOut->addStrokeAdjustHint(leftFirst, rightFirst, - join1, pathOut->length - 1); + join1, pathOut->length.Int() - 1); } } } Index: poppler-0.10.1/splash/SplashPath.h =================================================================== --- poppler-0.10.1.orig/splash/SplashPath.h +++ poppler-0.10.1/splash/SplashPath.h @@ -89,7 +89,7 @@ public: void offset(SplashCoord dx, SplashCoord dy); // Get the points on the path. - int getLength() { return length; } + int getLength() { return length.Int(); } void getPoint(int i, double *x, double *y, Guchar *f) { *x = pts[i].x; *y = pts[i].y; *f = flags[i]; } @@ -106,11 +106,11 @@ private: SplashPathPoint *pts; // array of points Guchar *flags; // array of flags - int length, size; // length/size of the pts and flags arrays + SafeInt length, size; // length/size of the pts and flags arrays int curSubpath; // index of first point in last subpath SplashPathHint *hints; // list of hints - int hintsLength, hintsSize; + SafeInt hintsLength, hintsSize; friend class SplashXPath; friend class Splash; Index: poppler-0.10.1/splash/SplashClip.h =================================================================== --- poppler-0.10.1.orig/splash/SplashClip.h +++ poppler-0.10.1/splash/SplashClip.h @@ -99,7 +99,8 @@ private: SplashXPath **paths; Guchar *flags; SplashXPathScanner **scanners; - int length, size; + int length; + SafeInt size; }; #endif Index: poppler-0.10.1/splash/SplashClip.cc =================================================================== --- poppler-0.10.1.orig/splash/SplashClip.cc +++ poppler-0.10.1/splash/SplashClip.cc @@ -55,7 +55,8 @@ SplashClip::SplashClip(SplashCoord x0, S paths = NULL; flags = NULL; scanners = NULL; - length = size = 0; + length = 0; + size = 0; } SplashClip::SplashClip(SplashClip *clip) { @@ -124,7 +125,8 @@ void SplashClip::resetToRect(SplashCoord paths = NULL; flags = NULL; scanners = NULL; - length = size = 0; + length = 0; + size = 0; if (x0 < x1) { xMin = x0; Index: poppler-0.10.1/splash/SplashFTFont.cc =================================================================== --- poppler-0.10.1.orig/splash/SplashFTFont.cc +++ poppler-0.10.1/splash/SplashFTFont.cc @@ -172,7 +172,7 @@ GBool SplashFTFont::makeGlyph(int c, int FT_Vector offset; FT_GlyphSlot slot; FT_UInt gid; - int rowSize; + SafeInt rowSize; Guchar *p, *q; int i; @@ -241,14 +241,14 @@ GBool SplashFTFont::makeGlyph(int c, int if (aa) { rowSize = bitmap->w; } else { - rowSize = (bitmap->w + 7) >> 3; + rowSize = (SafeInt(bitmap->w) + SafeInt(7)) >> 3; } - bitmap->data = (Guchar *)gmalloc(rowSize * bitmap->h); + bitmap->data = (Guchar *)gmallocn(rowSize, bitmap->h); bitmap->freeData = gTrue; for (i = 0, p = bitmap->data, q = slot->bitmap.buffer; i < bitmap->h; - ++i, p += rowSize, q += slot->bitmap.pitch) { - memcpy(p, q, rowSize); + ++i, p += rowSize.Int(), q += slot->bitmap.pitch) { + memcpy(p, q, rowSize.Int()); } return gTrue; Index: poppler-0.10.1/splash/SplashFTFontEngine.cc =================================================================== --- poppler-0.10.1.orig/splash/SplashFTFontEngine.cc +++ poppler-0.10.1/splash/SplashFTFontEngine.cc @@ -103,7 +103,7 @@ SplashFontFile *SplashFTFontEngine::load SplashFontSrc *src) { FoFiType1C *ff; Gushort *cidToGIDMap; - int nCIDs; + SafeInt nCIDs; SplashFontFile *ret; // check for a CFF font @@ -124,7 +124,7 @@ SplashFontFile *SplashFTFontEngine::load nCIDs = 0; } } - ret = SplashFTFontFile::loadCIDFont(this, idA, src, cidToGIDMap, nCIDs); + ret = SplashFTFontFile::loadCIDFont(this, idA, src, cidToGIDMap, nCIDs.Int()); if (!ret) { gfree(cidToGIDMap); } @@ -136,7 +136,7 @@ SplashFontFile *SplashFTFontEngine::load FoFiTrueType *ff; GBool isCID; Gushort *cidToGIDMap; - int nCIDs; + SafeInt nCIDs; SplashFontFile *ret; cidToGIDMap = NULL; @@ -156,7 +156,7 @@ SplashFontFile *SplashFTFontEngine::load } } ret = SplashFTFontFile::loadCIDFont(this, idA, src, - cidToGIDMap, nCIDs); + cidToGIDMap, nCIDs.Int()); if (!ret) { gfree(cidToGIDMap); } Index: poppler-0.10.1/splash/SplashFont.cc =================================================================== --- poppler-0.10.1.orig/splash/SplashFont.cc +++ poppler-0.10.1/splash/SplashFont.cc @@ -93,7 +93,7 @@ void SplashFont::initCache() { cacheTags = (SplashFontCacheTag *)gmallocn(cacheSets * cacheAssoc, sizeof(SplashFontCacheTag)); for (i = 0; i < cacheSets * cacheAssoc; ++i) { - cacheTags[i].mru = i & (cacheAssoc - 1); + cacheTags[i].mru = i & (cacheAssoc.Int() - 1); } } else { cacheAssoc = 0; @@ -124,7 +124,7 @@ GBool SplashFont::getGlyph(int c, int xF } // check the cache - i = (c & (cacheSets - 1)) * cacheAssoc; + i = (c & (cacheSets.Int() - 1)) * cacheAssoc.Int(); for (j = 0; j < cacheAssoc; ++j) { if ((cacheTags[i+j].mru & 0x80000000) && cacheTags[i+j].c == c && @@ -189,7 +189,7 @@ GBool SplashFont::getGlyph(int c, int xF else { for (j = 0; j < cacheAssoc; ++j) { - if ((cacheTags[i+j].mru & 0x7fffffff) == cacheAssoc - 1) { + if ((cacheTags[i+j].mru & 0x7fffffff) == cacheAssoc.Int() - 1) { cacheTags[i+j].mru = 0x80000000; cacheTags[i+j].c = c; cacheTags[i+j].xFrac = (short)xFrac; Index: poppler-0.10.1/splash/SplashFont.h =================================================================== --- poppler-0.10.1.orig/splash/SplashFont.h +++ poppler-0.10.1/splash/SplashFont.h @@ -114,8 +114,8 @@ protected: cacheTags; int glyphW, glyphH; // size of glyph bitmaps int glyphSize; // size of glyph bitmaps, in bytes - int cacheSets; // number of sets in cache - int cacheAssoc; // cache associativity (glyphs per set) + SafeInt cacheSets; // number of sets in cache + SafeInt cacheAssoc; // cache associativity (glyphs per set) }; #endif Index: poppler-0.10.1/splash/SplashPath.cc =================================================================== --- poppler-0.10.1.orig/splash/SplashPath.cc +++ poppler-0.10.1/splash/SplashPath.cc @@ -44,13 +44,13 @@ SplashPath::SplashPath(SplashPath *path) size = path->size; pts = (SplashPathPoint *)gmallocn(size, sizeof(SplashPathPoint)); flags = (Guchar *)gmallocn(size, sizeof(Guchar)); - memcpy(pts, path->pts, length * sizeof(SplashPathPoint)); - memcpy(flags, path->flags, length * sizeof(Guchar)); + memcpy(pts, path->pts, length.Int() * sizeof(SplashPathPoint)); + memcpy(flags, path->flags, length.Int() * sizeof(Guchar)); curSubpath = path->curSubpath; if (path->hints) { hintsLength = hintsSize = path->hintsLength; hints = (SplashPathHint *)gmallocn(hintsSize, sizeof(SplashPathHint)); - memcpy(hints, path->hints, hintsLength * sizeof(SplashPathHint)); + memcpy(hints, path->hints, hintsLength.Int() * sizeof(SplashPathHint)); } else { hints = NULL; } @@ -79,11 +79,11 @@ void SplashPath::grow(int nPts) { void SplashPath::append(SplashPath *path) { int i; - curSubpath = length + path->curSubpath; - grow(path->length); + curSubpath = length.Int() + path->curSubpath; + grow(path->length.Int()); for (i = 0; i < path->length; ++i) { - pts[length] = path->pts[i]; - flags[length] = path->flags[i]; + pts[length.Int()] = path->pts[i]; + flags[length.Int()] = path->flags[i]; ++length; } } @@ -93,10 +93,10 @@ SplashError SplashPath::moveTo(SplashCoo return splashErrBogusPath; } grow(1); - pts[length].x = x; - pts[length].y = y; - flags[length] = splashPathFirst | splashPathLast; - curSubpath = length++; + pts[length.Int()].x = x; + pts[length.Int()].y = y; + flags[length.Int()] = splashPathFirst | splashPathLast; + curSubpath = (length++).Int(); return splashOk; } @@ -104,11 +104,11 @@ SplashError SplashPath::lineTo(SplashCoo if (noCurrentPoint()) { return splashErrNoCurPt; } - flags[length-1] &= ~splashPathLast; + flags[(length-1).Int()] &= ~splashPathLast; grow(1); - pts[length].x = x; - pts[length].y = y; - flags[length] = splashPathLast; + pts[length.Int()].x = x; + pts[length.Int()].y = y; + flags[length.Int()] = splashPathLast; ++length; return splashOk; } @@ -119,19 +119,19 @@ SplashError SplashPath::curveTo(SplashCo if (noCurrentPoint()) { return splashErrNoCurPt; } - flags[length-1] &= ~splashPathLast; + flags[(length-1).Int()] &= ~splashPathLast; grow(3); - pts[length].x = x1; - pts[length].y = y1; - flags[length] = splashPathCurve; + pts[length.Int()].x = x1; + pts[length.Int()].y = y1; + flags[length.Int()] = splashPathCurve; ++length; - pts[length].x = x2; - pts[length].y = y2; - flags[length] = splashPathCurve; + pts[length.Int()].x = x2; + pts[length.Int()].y = y2; + flags[length.Int()] = splashPathCurve; ++length; - pts[length].x = x3; - pts[length].y = y3; - flags[length] = splashPathLast; + pts[length.Int()].x = x3; + pts[length.Int()].y = y3; + flags[length.Int()] = splashPathLast; ++length; return splashOk; } @@ -140,28 +140,28 @@ SplashError SplashPath::close() { if (noCurrentPoint()) { return splashErrNoCurPt; } - if (curSubpath == length - 1 || - pts[length - 1].x != pts[curSubpath].x || - pts[length - 1].y != pts[curSubpath].y) { + if (curSubpath == length.Int() - 1 || + pts[length.Int() - 1].x != pts[curSubpath].x || + pts[length.Int() - 1].y != pts[curSubpath].y) { lineTo(pts[curSubpath].x, pts[curSubpath].y); } flags[curSubpath] |= splashPathClosed; - flags[length - 1] |= splashPathClosed; - curSubpath = length; + flags[length.Int() - 1] |= splashPathClosed; + curSubpath = length.Int(); return splashOk; } void SplashPath::addStrokeAdjustHint(int ctrl0, int ctrl1, int firstPt, int lastPt) { if (hintsLength == hintsSize) { - hintsSize = hintsLength ? 2 * hintsLength : 8; + hintsSize = hintsLength.Int() ? 2 * hintsLength : 8; hints = (SplashPathHint *)greallocn(hints, hintsSize, sizeof(SplashPathHint)); } - hints[hintsLength].ctrl0 = ctrl0; - hints[hintsLength].ctrl1 = ctrl1; - hints[hintsLength].firstPt = firstPt; - hints[hintsLength].lastPt = lastPt; + hints[hintsLength.Int()].ctrl0 = ctrl0; + hints[hintsLength.Int()].ctrl1 = ctrl1; + hints[hintsLength.Int()].firstPt = firstPt; + hints[hintsLength.Int()].lastPt = lastPt; ++hintsLength; } @@ -178,7 +178,7 @@ GBool SplashPath::getCurPt(SplashCoord * if (noCurrentPoint()) { return gFalse; } - *x = pts[length - 1].x; - *y = pts[length - 1].y; + *x = pts[length.Int() - 1].x; + *y = pts[length.Int() - 1].y; return gTrue; } Index: poppler-0.10.1/splash/SplashScreen.cc =================================================================== --- poppler-0.10.1.orig/splash/SplashScreen.cc +++ poppler-0.10.1/splash/SplashScreen.cc @@ -59,7 +59,7 @@ SplashScreen::SplashScreen(SplashScreenP // size must be a power of 2 for (size = 1; size < params->size; size <<= 1) ; mat = (Guchar *)gmallocn(size * size, sizeof(Guchar)); - buildDispersedMatrix(size/2, size/2, 1, size/2, 1); + buildDispersedMatrix((size/2).Int(), (size/2).Int(), 1, (size/2).Int(), 1); break; case splashScreenClustered: @@ -74,8 +74,8 @@ SplashScreen::SplashScreen(SplashScreenP case splashScreenStochasticClustered: // size must be at least 2*r - if (params->size < 2 * params->dotRadius) { - size = 2 * params->dotRadius; + if (SafeInt(params->size) < 2 * SafeInt(params->dotRadius)) { + size = 2 * SafeInt(params->dotRadius); } else { size = params->size; } @@ -118,15 +118,15 @@ void SplashScreen::buildDispersedMatrix( int delta, int offset) { if (delta == 0) { // map values in [1, size^2] --> [1, 255] - mat[i * size + j] = 1 + (254 * (val - 1)) / (size * size - 1); + mat[i * size.Int() + j] = 1 + (254 * (val - 1)) / (size.Int() * size.Int() - 1); } else { buildDispersedMatrix(i, j, val, delta / 2, 4*offset); - buildDispersedMatrix((i + delta) % size, (j + delta) % size, + buildDispersedMatrix((i + delta) % size.Int(), (j + delta) % size.Int(), val + offset, delta / 2, 4*offset); - buildDispersedMatrix((i + delta) % size, j, + buildDispersedMatrix((i + delta) % size.Int(), j, val + 2*offset, delta / 2, 4*offset); - buildDispersedMatrix((i + 2*delta) % size, (j + delta) % size, + buildDispersedMatrix((i + 2*delta) % size.Int(), (j + delta) % size.Int(), val + 3*offset, delta / 2, 4*offset); } } @@ -135,14 +135,15 @@ void SplashScreen::buildClusteredMatrix( SplashCoord *dist; SplashCoord u, v, d; Guchar val; - int size2, x, y, x1, y1, i; + SafeInt size2; + int x, y, x1, y1, i; size2 = size >> 1; // initialize the threshold matrix for (y = 0; y < size; ++y) { for (x = 0; x < size; ++x) { - mat[y * size + x] = 0; + mat[y * size.Int() + x] = 0; } } @@ -154,22 +155,22 @@ void SplashScreen::buildClusteredMatrix( u = (SplashCoord)x + 0.5 - 0; v = (SplashCoord)y + 0.5 - 0; } else { - u = (SplashCoord)x + 0.5 - (SplashCoord)size2; - v = (SplashCoord)y + 0.5 - (SplashCoord)size2; + u = (SplashCoord)x + 0.5 - (SplashCoord)size2.Int(); + v = (SplashCoord)y + 0.5 - (SplashCoord)size2.Int(); } - dist[y * size2 + x] = u*u + v*v; + dist[y * size2.Int() + x] = u*u + v*v; } } for (y = 0; y < size2; ++y) { for (x = 0; x < size2; ++x) { if (x < y) { u = (SplashCoord)x + 0.5 - 0; - v = (SplashCoord)y + 0.5 - (SplashCoord)size2; + v = (SplashCoord)y + 0.5 - (SplashCoord)size2.Int(); } else { - u = (SplashCoord)x + 0.5 - (SplashCoord)size2; + u = (SplashCoord)x + 0.5 - (SplashCoord)size2.Int(); v = (SplashCoord)y + 0.5 - 0; } - dist[(size2 + y) * size2 + x] = u*u + v*v; + dist[(size2.Int() + y) * size2.Int() + x] = u*u + v*v; } } @@ -181,22 +182,22 @@ void SplashScreen::buildClusteredMatrix( d = -1; for (y = 0; y < size; ++y) { for (x = 0; x < size2; ++x) { - if (mat[y * size + x] == 0 && - dist[y * size2 + x] > d) { + if (mat[y * size.Int() + x] == 0 && + dist[y * size2.Int() + x] > d) { x1 = x; y1 = y; - d = dist[y1 * size2 + x1]; + d = dist[y1 * size2.Int() + x1]; } } } // map values in [0, 2*size*size2-1] --> [1, 255] - val = 1 + (254 * (2*i)) / (2*size*size2 - 1); - mat[y1 * size + x1] = val; - val = 1 + (254 * (2*i+1)) / (2*size*size2 - 1); - if (y1 < size2) { - mat[(y1 + size2) * size + x1 + size2] = val; + val = 1 + (254 * (2*i)) / (2*size.Int()*size2.Int() - 1); + mat[y1 * size.Int() + x1] = val; + val = 1 + (254 * (2*i+1)) / (2*size.Int()*size2.Int() - 1); + if (y1 < size2.Int()) { + mat[(y1 + size2.Int()) * size.Int() + x1 + size2.Int()] = val; } else { - mat[(y1 - size2) * size + x1 + size2] = val; + mat[(y1 - size2.Int()) * size.Int() + x1 + size2.Int()] = val; } } @@ -208,10 +209,10 @@ int SplashScreen::distance(int x0, int y int dx0, dx1, dx, dy0, dy1, dy; dx0 = abs(x0 - x1); - dx1 = size - dx0; + dx1 = size.Int() - dx0; dx = dx0 < dx1 ? dx0 : dx1; dy0 = abs(y0 - y1); - dy1 = size - dy0; + dy1 = size.Int() - dy0; dy = dy0 < dy1 ? dy0 : dy1; return dx * dx + dy * dy; } @@ -222,7 +223,7 @@ int SplashScreen::distance(int x0, int y // Hardcopy, and Graphic Arts IV, SPIE Vol. 3648, pp. 496-505, 1999. void SplashScreen::buildSCDMatrix(int r) { SplashScreenPoint *dots, *pts; - int dotsLen, dotsSize; + SafeInt dotsLen, dotsSize; char *tmpl; char *grid; int *region, *dist; @@ -242,7 +243,7 @@ void SplashScreen::buildSCDMatrix(int r) } } for (i = 0; i < size * size; ++i) { - j = i + (int)((double)(size * size - i) * + j = i + (int)((double)(size.Int() * size.Int() - i) * (double)rand() / ((double)RAND_MAX + 1.0)); x = pts[i].x; y = pts[i].y; @@ -253,7 +254,7 @@ void SplashScreen::buildSCDMatrix(int r) } // construct the circle template - tmpl = (char *)gmallocn((r+1)*(r+1), sizeof(char)); + tmpl = (char *)gmallocn((SafeInt(r)+SafeInt(1))*(SafeInt(r)+SafeInt(1)), sizeof(char)); for (y = 0; y <= r; ++y) { for (x = 0; x <= r; ++x) { tmpl[y*(r+1) + x] = (x * y <= r * r) ? 1 : 0; @@ -264,7 +265,7 @@ void SplashScreen::buildSCDMatrix(int r) grid = (char *)gmallocn(size * size, sizeof(char)); for (y = 0; y < size; ++y) { for (x = 0; x < size; ++x) { - grid[y*size + x] = 0; + grid[y*size.Int() + x] = 0; } } @@ -272,27 +273,27 @@ void SplashScreen::buildSCDMatrix(int r) dotsLen = 0; dotsSize = 32; dots = (SplashScreenPoint *)gmallocn(dotsSize, sizeof(SplashScreenPoint)); - for (i = 0; i < size * size; ++i) { + for (i = 0; i < size.Int() * size.Int(); ++i) { x = pts[i].x; y = pts[i].y; - if (!grid[y*size + x]) { + if (!grid[y*size.Int() + x]) { if (dotsLen == dotsSize) { dotsSize *= 2; dots = (SplashScreenPoint *)greallocn(dots, dotsSize, sizeof(SplashScreenPoint)); } - dots[dotsLen++] = pts[i]; + dots[(dotsLen++).Int()] = pts[i]; for (yy = 0; yy <= r; ++yy) { - y0 = (y + yy) % size; - y1 = (y - yy + size) % size; + y0 = (y + yy) % size.Int(); + y1 = (y - yy + size.Int()) % size.Int(); for (xx = 0; xx <= r; ++xx) { if (tmpl[yy*(r+1) + xx]) { - x0 = (x + xx) % size; - x1 = (x - xx + size) % size; - grid[y0*size + x0] = 1; - grid[y0*size + x1] = 1; - grid[y1*size + x0] = 1; - grid[y1*size + x1] = 1; + x0 = (x + xx) % size.Int(); + x1 = (x - xx + size.Int()) % size.Int(); + grid[y0*size.Int() + x0] = 1; + grid[y0*size.Int() + x1] = 1; + grid[y1*size.Int() + x0] = 1; + grid[y1*size.Int() + x1] = 1; } } } @@ -316,17 +317,17 @@ void SplashScreen::buildSCDMatrix(int r) dMin = d; } } - region[y*size + x] = iMin; - dist[y*size + x] = dMin; + region[y*size.Int() + x] = iMin; + dist[y*size.Int() + x] = dMin; } } // compute threshold values for (i = 0; i < dotsLen; ++i) { n = 0; - for (y = 0; y < size; ++y) { - for (x = 0; x < size; ++x) { - if (region[y*size + x] == i) { + for (y = 0; y < size.Int(); ++y) { + for (x = 0; x < size.Int(); ++x) { + if (region[y*size.Int() + x] == i) { pts[n].x = x; pts[n].y = y; pts[n].dist = distance(dots[i].x, dots[i].y, x, y); @@ -337,7 +338,7 @@ void SplashScreen::buildSCDMatrix(int r) qsort(pts, n, sizeof(SplashScreenPoint), &cmpDistances); for (j = 0; j < n; ++j) { // map values in [0 .. n-1] --> [255 .. 1] - mat[pts[j].y * size + pts[j].x] = 255 - (254 * j) / (n - 1); + mat[pts[j].y * size.Int() + pts[j].x] = 255 - (254 * j) / (n - 1); } } @@ -351,7 +352,7 @@ void SplashScreen::buildSCDMatrix(int r) SplashScreen::SplashScreen(SplashScreen *screen) { size = screen->size; mat = (Guchar *)gmallocn(size * size, sizeof(Guchar)); - memcpy(mat, screen->mat, size * size * sizeof(Guchar)); + memcpy(mat, screen->mat, (size * size).Int() * sizeof(Guchar)); minVal = screen->minVal; maxVal = screen->maxVal; } @@ -369,13 +370,13 @@ int SplashScreen::test(int x, int y, Guc if (value >= maxVal) { return 1; } - if ((xx = x % size) < 0) { + if ((xx = x % size.Int()) < 0) { xx = -xx; } - if ((yy = y % size) < 0) { + if ((yy = y % size.Int()) < 0) { yy = -yy; } - return value < mat[yy * size + xx] ? 0 : 1; + return value < mat[yy * size.Int() + xx] ? 0 : 1; } GBool SplashScreen::isStatic(Guchar value) { Index: poppler-0.10.1/splash/SplashScreen.h =================================================================== --- poppler-0.10.1.orig/splash/SplashScreen.h +++ poppler-0.10.1/splash/SplashScreen.h @@ -12,11 +12,14 @@ #endif #include "SplashTypes.h" +#include "gmem.h" //------------------------------------------------------------------------ // SplashScreen //------------------------------------------------------------------------ +class SafeInt; + class SplashScreen { public: @@ -44,7 +47,7 @@ private: void buildSCDMatrix(int r); Guchar *mat; // threshold matrix - int size; // size of the threshold matrix + SafeInt size; // size of the threshold matrix Guchar minVal; // any pixel value below minVal generates // solid black Guchar maxVal; // any pixel value above maxVal generates Index: poppler-0.10.1/splash/SplashT1Font.cc =================================================================== --- poppler-0.10.1.orig/splash/SplashT1Font.cc +++ poppler-0.10.1/splash/SplashT1Font.cc @@ -197,7 +197,8 @@ GBool SplashT1Font::getGlyph(int c, int GBool SplashT1Font::makeGlyph(int c, int xFrac, int yFrac, SplashGlyphBitmap *bitmap, int x0, int y0, SplashClip *clip, SplashClipResult *clipRes) { GLYPH *glyph; - int n, i; + int i; + SafeInt n; if (aa) { glyph = T1_AASetChar(t1libID, c, size, NULL); @@ -217,7 +218,7 @@ GBool SplashT1Font::makeGlyph(int c, int bitmap->data = (Guchar *)glyph->bits; bitmap->freeData = gFalse; } else { - n = bitmap->h * ((bitmap->w + 7) >> 3); + n = SafeInt(bitmap->h) * ((SafeInt(bitmap->w) + SafeInt(7)) >> SafeInt(3)); bitmap->data = (Guchar *)gmalloc(n); for (i = 0; i < n; ++i) { bitmap->data[i] = bitReverse[glyph->bits[i] & 0xff]; Index: poppler-0.10.1/splash/SplashT1FontFile.cc =================================================================== --- poppler-0.10.1.orig/splash/SplashT1FontFile.cc +++ poppler-0.10.1/splash/SplashT1FontFile.cc @@ -46,7 +46,7 @@ SplashFontFile *SplashT1FontFile::loadTy int t1libIDA; char **encTmp; char *encStrTmp; - int encStrSize; + SafeInt encStrSize; char *encPtr; int i; @@ -78,7 +78,7 @@ SplashFontFile *SplashT1FontFile::loadTy encStrSize = 0; for (i = 0; i < 256; ++i) { if (encA[i]) { - encStrSize += strlen(encA[i]) + 1; + encStrSize += SafeInt(strlen(encA[i])) + SafeInt(1); } } encTmp = (char **)gmallocn(257, sizeof(char *)); Index: poppler-0.10.1/splash/SplashXPath.cc =================================================================== --- poppler-0.10.1.orig/splash/SplashXPath.cc +++ poppler-0.10.1/splash/SplashXPath.cc @@ -152,7 +152,7 @@ SplashXPath::SplashXPath(SplashPath *pat xsp = x0; ysp = y0; curSubpath = i; - curSubpathX = length; + curSubpathX = length.Int(); ++i; } else { @@ -241,7 +241,7 @@ SplashXPath::SplashXPath(SplashXPath *xP length = xPath->length; size = xPath->size; segs = (SplashXPathSeg *)gmallocn(size, sizeof(SplashXPathSeg)); - memcpy(segs, xPath->segs, length * sizeof(SplashXPathSeg)); + memcpy(segs, xPath->segs, length.Int() * sizeof(SplashXPathSeg)); } SplashXPath::~SplashXPath() { @@ -349,51 +349,51 @@ void SplashXPath::addSegment(SplashCoord SplashCoord x1, SplashCoord y1, GBool first, GBool last, GBool end0, GBool end1) { grow(1); - segs[length].x0 = x0; - segs[length].y0 = y0; - segs[length].x1 = x1; - segs[length].y1 = y1; - segs[length].flags = 0; + segs[length.Int()].x0 = x0; + segs[length.Int()].y0 = y0; + segs[length.Int()].x1 = x1; + segs[length.Int()].y1 = y1; + segs[length.Int()].flags = 0; if (first) { - segs[length].flags |= splashXPathFirst; + segs[length.Int()].flags |= splashXPathFirst; } if (last) { - segs[length].flags |= splashXPathLast; + segs[length.Int()].flags |= splashXPathLast; } if (end0) { - segs[length].flags |= splashXPathEnd0; + segs[length.Int()].flags |= splashXPathEnd0; } if (end1) { - segs[length].flags |= splashXPathEnd1; + segs[length.Int()].flags |= splashXPathEnd1; } if (y1 == y0) { - segs[length].dxdy = segs[length].dydx = 0; - segs[length].flags |= splashXPathHoriz; + segs[length.Int()].dxdy = segs[length.Int()].dydx = 0; + segs[length.Int()].flags |= splashXPathHoriz; if (x1 == x0) { - segs[length].flags |= splashXPathVert; + segs[length.Int()].flags |= splashXPathVert; } } else if (x1 == x0) { - segs[length].dxdy = segs[length].dydx = 0; - segs[length].flags |= splashXPathVert; + segs[length.Int()].dxdy = segs[length.Int()].dydx = 0; + segs[length.Int()].flags |= splashXPathVert; } else { #if USE_FIXEDPOINT - if (FixedPoint::divCheck(x1 - x0, y1 - y0, &segs[length].dxdy)) { - segs[length].dydx = (SplashCoord)1 / segs[length].dxdy; + if (FixedPoint::divCheck(x1 - x0, y1 - y0, &segs[length.Int()].dxdy)) { + segs[length.Int()].dydx = (SplashCoord)1 / segs[length.Int()].dxdy; } else { - segs[length].dxdy = segs[length].dydx = 0; + segs[length.Int()].dxdy = segs[length.Int()].dydx = 0; if (splashAbs(x1 - x0) > splashAbs(y1 - y0)) { - segs[length].flags |= splashXPathHoriz; + segs[length.Int()].flags |= splashXPathHoriz; } else { - segs[length].flags |= splashXPathVert; + segs[length.Int()].flags |= splashXPathVert; } } #else - segs[length].dxdy = (x1 - x0) / (y1 - y0); - segs[length].dydx = (SplashCoord)1 / segs[length].dxdy; + segs[length.Int()].dxdy = (x1 - x0) / (y1 - y0); + segs[length.Int()].dydx = (SplashCoord)1 / segs[length.Int()].dxdy; #endif } if (y0 > y1) { - segs[length].flags |= splashXPathFlip; + segs[length.Int()].flags |= splashXPathFlip; } ++length; } @@ -439,5 +439,5 @@ void SplashXPath::aaScale() { } void SplashXPath::sort() { - qsort(segs, length, sizeof(SplashXPathSeg), &cmpXPathSegs); + qsort(segs, length.Int(), sizeof(SplashXPathSeg), &cmpXPathSegs); } Index: poppler-0.10.1/splash/SplashXPath.h =================================================================== --- poppler-0.10.1.orig/splash/SplashXPath.h +++ poppler-0.10.1/splash/SplashXPath.h @@ -88,7 +88,7 @@ private: GBool first, GBool last, GBool end0, GBool end1); SplashXPathSeg *segs; - int length, size; // length and size of segs array + SafeInt length, size; // length and size of segs array friend class SplashXPathScanner; friend class SplashClip; Index: poppler-0.10.1/splash/SplashXPathScanner.cc =================================================================== --- poppler-0.10.1.orig/splash/SplashXPathScanner.cc +++ poppler-0.10.1/splash/SplashXPathScanner.cc @@ -106,7 +106,8 @@ SplashXPathScanner::SplashXPathScanner(S interY = yMin - 1; xPathIdx = 0; inter = NULL; - interLen = interSize = 0; + interLen = 0; + interSize = 0; } SplashXPathScanner::~SplashXPathScanner() { Index: poppler-0.10.1/splash/SplashXPathScanner.h =================================================================== --- poppler-0.10.1.orig/splash/SplashXPathScanner.h +++ poppler-0.10.1/splash/SplashXPathScanner.h @@ -79,7 +79,7 @@ private: // computeIntersections SplashIntersect *inter; // intersections array for int interLen; // number of intersections in - int interSize; // size of the array + SafeInt interSize; // size of the array }; #endif Index: poppler-0.10.1/poppler/Annot.cc =================================================================== --- poppler-0.10.1.orig/poppler/Annot.cc +++ poppler-0.10.1/poppler/Annot.cc @@ -3852,7 +3852,7 @@ Annot3D::Activation::Activation(Dict *di Annots::Annots(XRef *xref, Catalog *catalog, Object *annotsObj) { Annot *annot; Object obj1; - int size; + SafeInt size; int i; annots = NULL; Index: poppler-0.10.1/poppler/Array.cc =================================================================== --- poppler-0.10.1.orig/poppler/Array.cc +++ poppler-0.10.1/poppler/Array.cc @@ -60,7 +60,7 @@ void Array::add(Object *elem) { } elems = (Object *)greallocn(elems, size, sizeof(Object)); } - elems[length] = *elem; + elems[length.Int()] = *elem; ++length; } Index: poppler-0.10.1/poppler/Array.h =================================================================== --- poppler-0.10.1.orig/poppler/Array.h +++ poppler-0.10.1/poppler/Array.h @@ -49,7 +49,7 @@ public: int decRef() { return --ref; } // Get number of elements. - int getLength() { return length; } + int getLength() { return length.Int(); } // Add an element. void add(Object *elem); @@ -63,8 +63,8 @@ private: XRef *xref; // the xref table for this PDF file Object *elems; // array of elements - int size; // size of array - int length; // number of elements in array + SafeInt size; // size of array + SafeInt length; // number of elements in array int ref; // reference count }; Index: poppler-0.10.1/poppler/Catalog.cc =================================================================== --- poppler-0.10.1.orig/poppler/Catalog.cc +++ poppler-0.10.1/poppler/Catalog.cc @@ -65,7 +65,7 @@ Catalog::Catalog(XRef *xrefA) { xref = xrefA; pages = NULL; pageRefs = NULL; - numPages = pagesSize = 0; + pagesSize = numPages = 0; baseURI = NULL; pageLabelInfo = NULL; form = NULL; @@ -318,7 +318,7 @@ int Catalog::readPageTree(Dict *pagesDic pagesSize += 32; pages = (Page **)greallocn(pages, pagesSize, sizeof(Page *)); pageRefs = (Ref *)greallocn(pageRefs, pagesSize, sizeof(Ref)); - for (j = pagesSize - 32; j < pagesSize; ++j) { + for (j = (pagesSize - 32).Int(); j < pagesSize; ++j) { pages[j] = NULL; pageRefs[j].num = -1; pageRefs[j].gen = -1; Index: poppler-0.10.1/poppler/Catalog.h =================================================================== --- poppler-0.10.1.orig/poppler/Catalog.h +++ poppler-0.10.1/poppler/Catalog.h @@ -227,7 +227,7 @@ private: Ref *pageRefs; // object ID for each page Form *form; int numPages; // number of pages - int pagesSize; // size of pages array + SafeInt pagesSize; // size of pages array Object dests; // named destination dictionary NameTree destNameTree; // named destination name-tree NameTree embeddedFileNameTree; // embedded file name-tree Index: poppler-0.10.1/poppler/CharCodeToUnicode.cc =================================================================== --- poppler-0.10.1.orig/poppler/CharCodeToUnicode.cc +++ poppler-0.10.1/poppler/CharCodeToUnicode.cc @@ -74,7 +74,8 @@ CharCodeToUnicode *CharCodeToUnicode::pa GooString *collection) { FILE *f; Unicode *mapA; - CharCode size, mapLenA; + CharCode mapLenA; + SafeInt size; char buf[64]; Unicode u; CharCodeToUnicode *ctu; @@ -116,7 +117,8 @@ CharCodeToUnicode *CharCodeToUnicode::pa FILE *f; Unicode *mapA; CharCodeToUnicodeString *sMapA; - CharCode size, oldSize, len, sMapSizeA, sMapLenA; + CharCode len, sMapLenA; + SafeInt size, oldSize, sMapSizeA; char buf[256]; char *tok; Unicode u0; @@ -134,7 +136,7 @@ CharCodeToUnicode *CharCodeToUnicode::pa size = 4096; mapA = (Unicode *)gmallocn(size, sizeof(Unicode)); - memset(mapA, 0, size * sizeof(Unicode)); + memset(mapA, 0, size.Int() * sizeof(Unicode)); len = 0; sMapA = NULL; sMapSizeA = sMapLenA = 0; @@ -173,7 +175,7 @@ CharCodeToUnicode *CharCodeToUnicode::pa size *= 2; } mapA = (Unicode *)greallocn(mapA, size, sizeof(Unicode)); - memset(mapA + oldSize, 0, (size - oldSize) * sizeof(Unicode)); + memset(mapA + oldSize.Int(), 0, (size - oldSize).Int() * sizeof(Unicode)); } if (n == 1) { mapA[u0] = uBuf[0]; @@ -199,7 +201,7 @@ CharCodeToUnicode *CharCodeToUnicode::pa fclose(f); ctu = new CharCodeToUnicode(fileName->copy(), mapA, len, gTrue, - sMapA, sMapLenA, sMapSizeA); + sMapA, sMapLenA, sMapSizeA.Int()); gfree(mapA); gfree(uBuf); return ctu; @@ -357,7 +359,7 @@ void CharCodeToUnicode::addMapping(CharC if (code >= mapLen) { oldLen = mapLen; - mapLen = (code + 256) & ~255; + mapLen = (SafeInt(code) + 256).Int() & ~255; map = (Unicode *)greallocn(map, mapLen, sizeof(Unicode)); for (i = oldLen; i < mapLen; ++i) { map[i] = 0; @@ -401,7 +403,7 @@ CharCodeToUnicode::CharCodeToUnicode(Goo map[i] = 0; } sMap = NULL; - sMapLen = sMapSize = 0; + sMapSize = sMapLen = 0; refCnt = 1; #if MULTITHREADED gInitMutex(&mutex); Index: poppler-0.10.1/poppler/CharCodeToUnicode.h =================================================================== --- poppler-0.10.1.orig/poppler/CharCodeToUnicode.h +++ poppler-0.10.1/poppler/CharCodeToUnicode.h @@ -104,7 +104,8 @@ private: Unicode *map; CharCode mapLen; CharCodeToUnicodeString *sMap; - int sMapLen, sMapSize; + int sMapLen; + SafeInt sMapSize; int refCnt; #if MULTITHREADED GooMutex mutex; Index: poppler-0.10.1/poppler/Decrypt.cc =================================================================== --- poppler-0.10.1.orig/poppler/Decrypt.cc +++ poppler-0.10.1/poppler/Decrypt.cc @@ -128,7 +128,7 @@ GBool Decrypt::makeFileKey2(int encVersi GBool ok; // generate file key - buf = (Guchar *)gmalloc(72 + fileID->getLength()); + buf = (Guchar *)gmalloc((SafeInt(72) + SafeInt(fileID->getLength())).Int()); if (userPassword) { len = userPassword->getLength(); if (len < 32) { Index: poppler-0.10.1/poppler/Dict.h =================================================================== --- poppler-0.10.1.orig/poppler/Dict.h +++ poppler-0.10.1/poppler/Dict.h @@ -88,7 +88,7 @@ private: XRef *xref; // the xref table for this PDF file DictEntry *entries; // array of entries - int size; // size of array + SafeInt size; // size of array int length; // number of entries in dictionary int ref; // reference count Index: poppler-0.10.1/poppler/Function.cc =================================================================== --- poppler-0.10.1.orig/poppler/Function.cc +++ poppler-0.10.1/poppler/Function.cc @@ -231,7 +231,7 @@ SampledFunction::SampledFunction(Object } //----- buffer - sBuf = (double *)gmallocn(1 << m, sizeof(double)); + sBuf = (double *)gmallocn((SafeInt(1) << m).Int(), sizeof(double)); //----- get the stream if (!funcObj->isStream()) { @@ -383,8 +383,8 @@ SampledFunction::~SampledFunction() { SampledFunction::SampledFunction(SampledFunction *func) { memcpy(this, func, sizeof(SampledFunction)); samples = (double *)gmallocn(nSamples, sizeof(double)); - memcpy(samples, func->samples, nSamples * sizeof(double)); - sBuf = (double *)gmallocn(1 << m, sizeof(double)); + memcpy(samples, func->samples, (nSamples * sizeof(double)).Int()); + sBuf = (double *)gmallocn((SafeInt(1) << m).Int(), sizeof(double)); } void SampledFunction::transform(double *in, double *out) { @@ -589,8 +589,8 @@ StitchingFunction::StitchingFunction(Obj } k = obj1.arrayGetLength(); funcs = (Function **)gmallocn(k, sizeof(Function *)); - bounds = (double *)gmallocn(k + 1, sizeof(double)); - encode = (double *)gmallocn(2 * k, sizeof(double)); + bounds = (double *)gmallocn(k + SafeInt(1), sizeof(double)); + encode = (double *)gmallocn(SafeInt(2) * k, sizeof(double)); scale = (double *)gmallocn(k, sizeof(double)); for (i = 0; i < k; ++i) { funcs[i] = NULL; @@ -623,7 +623,7 @@ StitchingFunction::StitchingFunction(Obj bounds[i] = obj2.getNum(); obj2.free(); } - bounds[k] = domain[0][1]; + bounds[k.Int()] = domain[0][1]; obj1.free(); //----- Encode @@ -672,12 +672,12 @@ StitchingFunction::StitchingFunction(Sti for (i = 0; i < k; ++i) { funcs[i] = func->funcs[i]->copy(); } - bounds = (double *)gmallocn(k + 1, sizeof(double)); - memcpy(bounds, func->bounds, (k + 1) * sizeof(double)); - encode = (double *)gmallocn(2 * k, sizeof(double)); - memcpy(encode, func->encode, 2 * k * sizeof(double)); + bounds = (double *)gmallocn(k + SafeInt(1), sizeof(double)); + memcpy(bounds, func->bounds, ((k + 1) * sizeof(double)).Int()); + encode = (double *)gmallocn(SafeInt(2) * k, sizeof(double)); + memcpy(encode, func->encode, (2 * k * sizeof(double)).Int()); scale = (double *)gmallocn(k, sizeof(double)); - memcpy(scale, func->scale, k * sizeof(double)); + memcpy(scale, func->scale, (k * sizeof(double)).Int()); ok = gTrue; } @@ -1073,7 +1073,7 @@ PostScriptFunction::PostScriptFunction(O PostScriptFunction::PostScriptFunction(PostScriptFunction *func) { memcpy(this, func, sizeof(PostScriptFunction)); code = (PSObject *)gmallocn(codeSize, sizeof(PSObject)); - memcpy(code, func->code, codeSize * sizeof(PSObject)); + memcpy(code, func->code, (codeSize * sizeof(PSObject)).Int()); codeString = func->codeString->copy(); } Index: poppler-0.10.1/poppler/Function.h =================================================================== --- poppler-0.10.1.orig/poppler/Function.h +++ poppler-0.10.1/poppler/Function.h @@ -129,7 +129,7 @@ private: inputMul[funcMaxInputs]; int idxMul[funcMaxInputs]; // sample array index multipliers double *samples; // the samples - int nSamples; // size of the samples array + SafeInt nSamples; // size of the samples array double *sBuf; // buffer for the transform function GBool ok; }; @@ -176,7 +176,7 @@ public: virtual void transform(double *in, double *out); virtual GBool isOk() { return ok; } - int getNumFuncs() { return k; } + int getNumFuncs() { return k.Int(); } Function *getFunc(int i) { return funcs[i]; } double *getBounds() { return bounds; } double *getEncode() { return encode; } @@ -186,7 +186,7 @@ private: StitchingFunction(StitchingFunction *func); - int k; + SafeInt k; Function **funcs; double *bounds; double *encode; @@ -220,7 +220,7 @@ private: GooString *codeString; PSObject *code; - int codeSize; + SafeInt codeSize; GBool ok; }; Index: poppler-0.10.1/poppler/GfxFont.cc =================================================================== --- poppler-0.10.1.orig/poppler/GfxFont.cc +++ poppler-0.10.1/poppler/GfxFont.cc @@ -452,7 +452,8 @@ char *GfxFont::readEmbFontFile(XRef *xre Object obj1, obj2; Stream *str; int c; - int size, i; + SafeInt size; + int i; obj1.initRef(embFontID.num, embFontID.gen); obj1.fetch(xref, &obj2); @@ -466,12 +467,12 @@ char *GfxFont::readEmbFontFile(XRef *xre str = obj2.getStream(); buf = NULL; - i = size = 0; + size = i = 0; str->reset(); while ((c = str->getChar()) != EOF) { if (i == size) { size += 4096; - buf = (char *)grealloc(buf, size); + buf = (char *)grealloc(buf, size.Int()); } buf[i++] = c; } @@ -1298,7 +1299,8 @@ GfxCIDFont::GfxCIDFont(XRef *xref, char CharCode c; Unicode *uBuf; int c1, c2; - int excepsSize, i, j, k, n; + int j, k, n; + SafeInt i, excepsSize; refCnt = 1; ascent = 0.95; @@ -1479,10 +1481,10 @@ GfxCIDFont::GfxCIDFont(XRef *xref, char excepsSize = 0; i = 0; while (i + 1 < obj1.arrayGetLength()) { - obj1.arrayGet(i, &obj2); - obj1.arrayGet(i + 1, &obj3); - if (obj2.isInt() && obj3.isInt() && i + 2 < obj1.arrayGetLength()) { - if (obj1.arrayGet(i + 2, &obj4)->isNum()) { + obj1.arrayGet(i.Int(), &obj2); + obj1.arrayGet((i + 1).Int(), &obj3); + if (obj2.isInt() && obj3.isInt() && (i + 2).Int() < obj1.arrayGetLength()) { + if (obj1.arrayGet((i + 2).Int(), &obj4)->isNum()) { if (widths.nExceps == excepsSize) { excepsSize += 16; widths.exceps = (GfxFontCIDWidthExcep *) @@ -1500,7 +1502,7 @@ GfxCIDFont::GfxCIDFont(XRef *xref, char i += 3; } else if (obj2.isInt() && obj3.isArray()) { if (widths.nExceps + obj3.arrayGetLength() > excepsSize) { - excepsSize = (widths.nExceps + obj3.arrayGetLength() + 15) & ~15; + excepsSize = (SafeInt(widths.nExceps) + SafeInt(obj3.arrayGetLength()) + 15).Int() & ~15; widths.exceps = (GfxFontCIDWidthExcep *) greallocn(widths.exceps, excepsSize, sizeof(GfxFontCIDWidthExcep)); @@ -1550,12 +1552,12 @@ GfxCIDFont::GfxCIDFont(XRef *xref, char excepsSize = 0; i = 0; while (i + 1 < obj1.arrayGetLength()) { - obj1.arrayGet(i, &obj2); - obj1.arrayGet(i+ 1, &obj3); - if (obj2.isInt() && obj3.isInt() && i + 4 < obj1.arrayGetLength()) { - if (obj1.arrayGet(i + 2, &obj4)->isNum() && - obj1.arrayGet(i + 3, &obj5)->isNum() && - obj1.arrayGet(i + 4, &obj6)->isNum()) { + obj1.arrayGet(i.Int(), &obj2); + obj1.arrayGet((i+ 1).Int(), &obj3); + if (obj2.isInt() && obj3.isInt() && (i + 4).Int() < obj1.arrayGetLength()) { + if (obj1.arrayGet((i + 2).Int(), &obj4)->isNum() && + obj1.arrayGet((i + 3).Int(), &obj5)->isNum() && + obj1.arrayGet((i + 4).Int(), &obj6)->isNum()) { if (widths.nExcepsV == excepsSize) { excepsSize += 16; widths.excepsV = (GfxFontCIDWidthExcepV *) Index: poppler-0.10.1/poppler/GfxState.h =================================================================== --- poppler-0.10.1.orig/poppler/GfxState.h +++ poppler-0.10.1/poppler/GfxState.h @@ -980,7 +980,7 @@ private: GBool *curve; // curve[i] => point i is a control point // for a Bezier curve int n; // number of points - int size; // size of x/y arrays + SafeInt size; // size of x/y arrays GBool closed; // set if path is closed GfxSubpath(GfxSubpath *subpath); @@ -1006,12 +1006,12 @@ public: GBool isPath() { return n > 0; } // Get subpaths. - int getNumSubpaths() { return n; } + int getNumSubpaths() { return n.Int(); } GfxSubpath *getSubpath(int i) { return subpaths[i]; } // Get last point on last subpath. - double getLastX() { return subpaths[n-1]->getLastX(); } - double getLastY() { return subpaths[n-1]->getLastY(); } + double getLastX() { return subpaths[n.Int()-1]->getLastX(); } + double getLastY() { return subpaths[n.Int()-1]->getLastY(); } // Move the current point. void moveTo(double x, double y); @@ -1037,11 +1037,11 @@ private: GBool justMoved; // set if a new subpath was just started double firstX, firstY; // first point in new subpath GfxSubpath **subpaths; // subpaths - int n; // number of subpaths - int size; // size of subpaths array + SafeInt n; // number of subpaths + SafeInt size; // size of subpaths array GfxPath(GBool justMoved1, double firstX1, double firstY1, - GfxSubpath **subpaths1, int n1, int size1); + GfxSubpath **subpaths1, SafeInt n1, SafeInt size1); }; //------------------------------------------------------------------------ Index: poppler-0.10.1/poppler/GfxState.cc =================================================================== --- poppler-0.10.1.orig/poppler/GfxState.cc +++ poppler-0.10.1/poppler/GfxState.cc @@ -1074,7 +1074,7 @@ GfxIndexedColorSpace::GfxIndexedColorSpa int indexHighA) { base = baseA; indexHigh = indexHighA; - lookup = (Guchar *)gmallocn((indexHigh + 1) * base->getNComps(), + lookup = (Guchar *)gmallocn((SafeInt(indexHigh) + SafeInt(1)) * SafeInt(base->getNComps()), sizeof(Guchar)); } @@ -2502,7 +2502,7 @@ GfxGouraudTriangleShading::GfxGouraudTri vertices = (GfxGouraudVertex *)gmallocn(nVertices, sizeof(GfxGouraudVertex)); memcpy(vertices, shading->vertices, nVertices * sizeof(GfxGouraudVertex)); nTriangles = shading->nTriangles; - triangles = (int (*)[3])gmallocn(nTriangles * 3, sizeof(int)); + triangles = (int (*)[3])gmallocn(SafeInt(nTriangles) * SafeInt(3), sizeof(int)); memcpy(triangles, shading->triangles, nTriangles * 3 * sizeof(int)); nFuncs = shading->nFuncs; for (i = 0; i < nFuncs; ++i) { @@ -2533,7 +2533,8 @@ GfxGouraudTriangleShading *GfxGouraudTri double cMul[gfxColorMaxComps]; GfxGouraudVertex *verticesA; int (*trianglesA)[3]; - int nComps, nVerticesA, nTrianglesA, vertSize, triSize; + int nComps, nVerticesA, nTrianglesA; + SafeInt vertSize, triSize; Guint x, y, flag; Guint c[gfxColorMaxComps]; GfxShadingBitBuf *bitBuf; @@ -2671,7 +2672,7 @@ GfxGouraudTriangleShading *GfxGouraudTri if (nTrianglesA == triSize) { triSize = (triSize == 0) ? 16 : 2 * triSize; trianglesA = (int (*)[3]) - greallocn(trianglesA, triSize * 3, sizeof(int)); + greallocn(trianglesA, SafeInt(triSize) * SafeInt(3), sizeof(int)); } if (state == 2) { trianglesA[nTrianglesA][0] = nVerticesA - 3; @@ -2696,8 +2697,9 @@ GfxGouraudTriangleShading *GfxGouraudTri delete bitBuf; if (typeA == 5) { nRows = nVerticesA / vertsPerRow; - nTrianglesA = (nRows - 1) * 2 * (vertsPerRow - 1); - trianglesA = (int (*)[3])gmallocn(nTrianglesA * 3, sizeof(int)); + nTrianglesA = ((SafeInt(nRows) - SafeInt(1)) * SafeInt(2) + * (SafeInt(vertsPerRow) - SafeInt(1))).Int(); + trianglesA = (int (*)[3])gmallocn(SafeInt(nTrianglesA) * SafeInt(3), sizeof(int)); k = 0; for (i = 0; i < nRows - 1; ++i) { for (j = 0; j < vertsPerRow - 1; ++j) { @@ -2838,7 +2840,8 @@ GfxPatchMeshShading *GfxPatchMeshShading double xMul, yMul; double cMul[gfxColorMaxComps]; GfxPatch *patchesA, *p; - int nComps, nPatchesA, patchesSize, nPts, nColors; + int nComps, nPatchesA, nPts, nColors; + SafeInt patchesSize; Guint flag; double x[16], y[16]; Guint xi, yi; @@ -3426,7 +3429,7 @@ GfxImageColorMap::GfxImageColorMap(int b colorSpace2->getDefaultRanges(x, y, indexHigh); byte_lookup = (Guchar *)gmalloc ((maxPixel + 1) * nComps2); for (k = 0; k < nComps2; ++k) { - lookup[k] = (GfxColorComp *)gmallocn(maxPixel + 1, + lookup[k] = (GfxColorComp *)gmallocn(SafeInt(maxPixel) + SafeInt(1), sizeof(GfxColorComp)); for (i = 0; i <= maxPixel; ++i) { j = (int)(decodeLow[0] + (i * decodeRange[0]) / maxPixel + 0.5); @@ -3446,9 +3449,9 @@ GfxImageColorMap::GfxImageColorMap(int b colorSpace2 = sepCS->getAlt(); nComps2 = colorSpace2->getNComps(); sepFunc = sepCS->getFunc(); - byte_lookup = (Guchar *)gmallocn ((maxPixel + 1), nComps2); + byte_lookup = (Guchar *)gmallocn ((SafeInt(maxPixel) + SafeInt(1)), nComps2); for (k = 0; k < nComps2; ++k) { - lookup[k] = (GfxColorComp *)gmallocn(maxPixel + 1, + lookup[k] = (GfxColorComp *)gmallocn(SafeInt(maxPixel) + SafeInt(1), sizeof(GfxColorComp)); for (i = 0; i <= maxPixel; ++i) { x[0] = decodeLow[0] + (i * decodeRange[0]) / maxPixel; @@ -3458,9 +3461,9 @@ GfxImageColorMap::GfxImageColorMap(int b } } } else { - byte_lookup = (Guchar *)gmallocn ((maxPixel + 1), nComps); + byte_lookup = (Guchar *)gmallocn ((SafeInt(maxPixel) + SafeInt(1)), nComps); for (k = 0; k < nComps; ++k) { - lookup[k] = (GfxColorComp *)gmallocn(maxPixel + 1, + lookup[k] = (GfxColorComp *)gmallocn(SafeInt(maxPixel) + SafeInt(1), sizeof(GfxColorComp)); for (i = 0; i <= maxPixel; ++i) { mapped = decodeLow[k] + (i * decodeRange[k]) / maxPixel; @@ -3485,7 +3488,8 @@ GfxImageColorMap::GfxImageColorMap(int b } GfxImageColorMap::GfxImageColorMap(GfxImageColorMap *colorMap) { - int n, i, k; + int i, k; + SafeInt n; colorSpace = colorMap->colorSpace->copy(); bits = colorMap->bits; @@ -3495,23 +3499,23 @@ GfxImageColorMap::GfxImageColorMap(GfxIm for (k = 0; k < gfxColorMaxComps; ++k) { lookup[k] = NULL; } - n = 1 << bits; + n = SafeInt(1) << bits; if (colorSpace->getMode() == csIndexed) { colorSpace2 = ((GfxIndexedColorSpace *)colorSpace)->getBase(); for (k = 0; k < nComps2; ++k) { lookup[k] = (GfxColorComp *)gmallocn(n, sizeof(GfxColorComp)); - memcpy(lookup[k], colorMap->lookup[k], n * sizeof(GfxColorComp)); + memcpy(lookup[k], colorMap->lookup[k], n.Int() * sizeof(GfxColorComp)); } } else if (colorSpace->getMode() == csSeparation) { colorSpace2 = ((GfxSeparationColorSpace *)colorSpace)->getAlt(); for (k = 0; k < nComps2; ++k) { lookup[k] = (GfxColorComp *)gmallocn(n, sizeof(GfxColorComp)); - memcpy(lookup[k], colorMap->lookup[k], n * sizeof(GfxColorComp)); + memcpy(lookup[k], colorMap->lookup[k], n.Int() * sizeof(GfxColorComp)); } } else { for (k = 0; k < nComps; ++k) { lookup[k] = (GfxColorComp *)gmallocn(n, sizeof(GfxColorComp)); - memcpy(lookup[k], colorMap->lookup[k], n * sizeof(GfxColorComp)); + memcpy(lookup[k], colorMap->lookup[k], n.Int() * sizeof(GfxColorComp)); } } for (i = 0; i < nComps; ++i) { @@ -3752,7 +3756,7 @@ GfxPath::~GfxPath() { // Used for copy(). GfxPath::GfxPath(GBool justMoved1, double firstX1, double firstY1, - GfxSubpath **subpaths1, int n1, int size1) { + GfxSubpath **subpaths1, SafeInt n1, SafeInt size1) { int i; justMoved = justMoved1; @@ -3778,11 +3782,11 @@ void GfxPath::lineTo(double x, double y) subpaths = (GfxSubpath **) greallocn(subpaths, size, sizeof(GfxSubpath *)); } - subpaths[n] = new GfxSubpath(firstX, firstY); + subpaths[n.Int()] = new GfxSubpath(firstX, firstY); ++n; justMoved = gFalse; } - subpaths[n-1]->lineTo(x, y); + subpaths[n.Int()-1]->lineTo(x, y); } void GfxPath::curveTo(double x1, double y1, double x2, double y2, @@ -3793,11 +3797,11 @@ void GfxPath::curveTo(double x1, double subpaths = (GfxSubpath **) greallocn(subpaths, size, sizeof(GfxSubpath *)); } - subpaths[n] = new GfxSubpath(firstX, firstY); + subpaths[n.Int()] = new GfxSubpath(firstX, firstY); ++n; justMoved = gFalse; } - subpaths[n-1]->curveTo(x1, y1, x2, y2, x3, y3); + subpaths[n.Int()-1]->curveTo(x1, y1, x2, y2, x3, y3); } void GfxPath::close() { @@ -3809,11 +3813,11 @@ void GfxPath::close() { subpaths = (GfxSubpath **) greallocn(subpaths, size, sizeof(GfxSubpath *)); } - subpaths[n] = new GfxSubpath(firstX, firstY); + subpaths[n.Int()] = new GfxSubpath(firstX, firstY); ++n; justMoved = gFalse; } - subpaths[n-1]->close(); + subpaths[n.Int()-1]->close(); } void GfxPath::append(GfxPath *path) { @@ -3825,7 +3829,7 @@ void GfxPath::append(GfxPath *path) { greallocn(subpaths, size, sizeof(GfxSubpath *)); } for (i = 0; i < path->n; ++i) { - subpaths[n++] = path->subpaths[i]->copy(); + subpaths[(n++).Int()] = path->subpaths[i]->copy(); } justMoved = gFalse; } Index: poppler-0.10.1/utils/ImageOutputDev.cc =================================================================== --- poppler-0.10.1.orig/utils/ImageOutputDev.cc +++ poppler-0.10.1/utils/ImageOutputDev.cc @@ -46,7 +46,7 @@ ImageOutputDev::ImageOutputDev(char *fileRootA, GBool dumpJPEGA) { fileRoot = copyString(fileRootA); - fileName = (char *)gmalloc(strlen(fileRoot) + 20); + fileName = (char *)gmalloc((SafeInt(strlen(fileRoot)) + SafeInt(20)).Int()); dumpJPEG = dumpJPEGA; imgNum = 0; ok = gTrue; Index: poppler-0.10.1/poppler/JArithmeticDecoder.cc =================================================================== --- poppler-0.10.1.orig/poppler/JArithmeticDecoder.cc +++ poppler-0.10.1/poppler/JArithmeticDecoder.cc @@ -7,6 +7,7 @@ //======================================================================== #include +#include #ifdef USE_GCC_PRAGMAS #pragma implementation @@ -47,6 +48,10 @@ void JArithmeticDecoderStats::copyFrom(J } void JArithmeticDecoderStats::setEntry(Guint cx, int i, int mps) { + if (cx >= contextSize) { + fprintf(stderr, "index out of bounds"); + exit(1); + } cxTab[cx] = (i << 1) + mps; } Index: poppler-0.10.1/poppler/JBIG2Stream.cc =================================================================== --- poppler-0.10.1.orig/poppler/JBIG2Stream.cc +++ poppler-0.10.1/poppler/JBIG2Stream.cc @@ -701,7 +701,7 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, { w = wA; h = hA; - line = (wA + 7) >> 3; + line = (SafeInt(wA) + SafeInt(7) >> 3).Int(); if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { error(-1, "invalid width/height"); @@ -1586,7 +1586,7 @@ GBool JBIG2Stream::readSymbolDictSeg(Gui } // get the input symbol bitmaps - bitmaps = (JBIG2Bitmap **)gmallocn(numInputSyms + numNewSyms, + bitmaps = (JBIG2Bitmap **)gmallocn(SafeInt(numInputSyms) + SafeInt(numNewSyms), sizeof(JBIG2Bitmap *)); for (i = 0; i < numInputSyms + numNewSyms; ++i) { bitmaps[i] = NULL; @@ -1910,7 +1910,8 @@ void JBIG2Stream::readTextRegionSeg(Guin int sOffset; Guint huffFlags, huffFS, huffDS, huffDT; Guint huffRDW, huffRDH, huffRDX, huffRDY, huffRSize; - Guint numInstances, numSyms, symCodeLen; + Guint numInstances, symCodeLen; + SafeInt numSyms; int atx[2], aty[2]; Guint i, k, kk; int j; @@ -2113,7 +2114,7 @@ void JBIG2Stream::readTextRegionSeg(Guin runLengthTab[35].prefixLen = 0; runLengthTab[35].rangeLen = jbig2HuffmanEOT; huffDecoder->buildTable(runLengthTab, 35); - symCodeTab = (JBIG2HuffmanTable *)gmallocn(numSyms + 1, + symCodeTab = (JBIG2HuffmanTable *)gmallocn(numSyms + SafeInt(1), sizeof(JBIG2HuffmanTable)); for (i = 0; i < numSyms; ++i) { symCodeTab[i].val = i; @@ -2135,9 +2136,9 @@ void JBIG2Stream::readTextRegionSeg(Guin symCodeTab[i++].prefixLen = j; } } - symCodeTab[numSyms].prefixLen = 0; - symCodeTab[numSyms].rangeLen = jbig2HuffmanEOT; - huffDecoder->buildTable(symCodeTab, numSyms); + symCodeTab[numSyms.Int()].prefixLen = 0; + symCodeTab[numSyms.Int()].rangeLen = jbig2HuffmanEOT; + huffDecoder->buildTable(symCodeTab, numSyms.Int()); huffDecoder->reset(); // set up the arithmetic decoder @@ -2151,7 +2152,7 @@ void JBIG2Stream::readTextRegionSeg(Guin } bitmap = readTextRegion(huff, refine, w, h, numInstances, - logStrips, numSyms, symCodeTab, symCodeLen, syms, + logStrips, numSyms.Int(), symCodeTab, symCodeLen, syms, defPixel, combOp, transposed, refCorner, sOffset, huffFSTable, huffDSTable, huffDTTable, huffRDWTable, huffRDHTable, @@ -2764,6 +2765,7 @@ JBIG2Bitmap *JBIG2Stream::readGenericBit error(getPos(), "Bad width in JBIG2 generic bitmap"); // force a call to gmalloc(-1), which will throw an exception w = -3; + gmallocn(w + 2, sizeof(int)); } // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = w // ---> max codingLine size = w + 1 @@ -3492,7 +3494,7 @@ void JBIG2Stream::readCodeTableSeg(Guint val = lowVal; while (val < highVal) { if (i == huffTabSize) { - huffTabSize *= 2; + huffTabSize = (SafeInt(huffTabSize) * 2).Int(); huffTab = (JBIG2HuffmanTable *) greallocn(huffTab, huffTabSize, sizeof(JBIG2HuffmanTable)); } Index: poppler-0.10.1/poppler/JPXStream.cc =================================================================== --- poppler-0.10.1.orig/poppler/JPXStream.cc +++ poppler-0.10.1/poppler/JPXStream.cc @@ -666,7 +666,7 @@ GBool JPXStream::readBoxes() { } palette.bpc = (Guint *)gmallocn(palette.nComps, sizeof(Guint)); palette.c = - (int *)gmallocn(palette.nEntries * palette.nComps, sizeof(int)); + (int *)gmallocn(SafeInt(palette.nEntries) * SafeInt(palette.nComps), sizeof(int)); for (i = 0; i < palette.nComps; ++i) { if (!readUByte(&palette.bpc[i])) { error(getPos(), "Unexpected EOF in JPX stream"); @@ -924,7 +924,7 @@ GBool JPXStream::readCodestream(Guint le error(getPos(), "Bad tile count in JPX SIZ marker segment"); return gFalse; } - img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles, + img.tiles = (JPXTile *)gmallocn(SafeInt(img.nXTiles) * SafeInt(img.nYTiles), sizeof(JPXTile)); for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps, @@ -992,7 +992,7 @@ GBool JPXStream::readCodestream(Guint le } img.tiles[i].tileComps[comp].resLevels = (JPXResLevel *)gmallocn( - (img.tiles[i].tileComps[comp].nDecompLevels + 1), + (SafeInt(img.tiles[i].tileComps[comp].nDecompLevels) + SafeInt(1)), sizeof(JPXResLevel)); for (r = 0; r <= img.tiles[i].tileComps[comp].nDecompLevels; ++r) { img.tiles[i].tileComps[comp].resLevels[r].precincts = NULL; @@ -1069,7 +1069,7 @@ GBool JPXStream::readCodestream(Guint le img.tiles[i].tileComps[comp].resLevels = (JPXResLevel *)greallocn( img.tiles[i].tileComps[comp].resLevels, - (img.tiles[i].tileComps[comp].nDecompLevels + 1), + (SafeInt(img.tiles[i].tileComps[comp].nDecompLevels) + SafeInt(1)), sizeof(JPXResLevel)); for (r = 0; r <= img.tiles[i].tileComps[comp].nDecompLevels; ++r) { img.tiles[i].tileComps[comp].resLevels[r].precincts = NULL; @@ -1471,7 +1471,7 @@ GBool JPXStream::readTilePart() { img.tiles[tileIdx].tileComps[comp].resLevels = (JPXResLevel *)greallocn( img.tiles[tileIdx].tileComps[comp].resLevels, - (img.tiles[tileIdx].tileComps[comp].nDecompLevels + 1), + (SafeInt(img.tiles[tileIdx].tileComps[comp].nDecompLevels) + SafeInt(1)), sizeof(JPXResLevel)); for (r = 0; r <= img.tiles[tileIdx].tileComps[comp].nDecompLevels; @@ -1526,7 +1526,7 @@ GBool JPXStream::readTilePart() { img.tiles[tileIdx].tileComps[comp].resLevels = (JPXResLevel *)greallocn( img.tiles[tileIdx].tileComps[comp].resLevels, - (img.tiles[tileIdx].tileComps[comp].nDecompLevels + 1), + (SafeInt(img.tiles[tileIdx].tileComps[comp].nDecompLevels) + SafeInt(1)), sizeof(JPXResLevel)); for (r = 0; r <= img.tiles[tileIdx].tileComps[comp].nDecompLevels; ++r) { img.tiles[tileIdx].tileComps[comp].resLevels[r].precincts = NULL; @@ -1789,15 +1789,15 @@ GBool JPXStream::readTilePart() { tileComp->y1 = jpxCeilDiv(tile->y1, tileComp->hSep); tileComp->cbW = 1 << tileComp->codeBlockW; tileComp->cbH = 1 << tileComp->codeBlockH; - tileComp->data = (int *)gmallocn((tileComp->x1 - tileComp->x0) * - (tileComp->y1 - tileComp->y0), + tileComp->data = (int *)gmallocn((SafeInt(tileComp->x1) - SafeInt(tileComp->x0)) * + (SafeInt(tileComp->y1) - SafeInt(tileComp->y0)), sizeof(int)); if (tileComp->x1 - tileComp->x0 > tileComp->y1 - tileComp->y0) { n = tileComp->x1 - tileComp->x0; } else { n = tileComp->y1 - tileComp->y0; } - tileComp->buf = (int *)gmallocn(n + 8, sizeof(int)); + tileComp->buf = (int *)gmallocn(SafeInt(n) + SafeInt(8), sizeof(int)); for (r = 0; r <= tileComp->nDecompLevels; ++r) { resLevel = &tileComp->resLevels[r]; k = r == 0 ? tileComp->nDecompLevels @@ -1858,7 +1858,7 @@ GBool JPXStream::readTilePart() { for (level = subband->maxTTLevel; level >= 0; --level) { nx = jpxCeilDivPow2(subband->nXCBs, level); ny = jpxCeilDivPow2(subband->nYCBs, level); - n += nx * ny; + n += (SafeInt(nx) * SafeInt(ny)).Int(); } subband->inclusion = (JPXTagTreeNode *)gmallocn(n, sizeof(JPXTagTreeNode)); @@ -1870,8 +1870,8 @@ GBool JPXStream::readTilePart() { subband->zeroBitPlane[k].finished = gFalse; subband->zeroBitPlane[k].val = 0; } - subband->cbs = (JPXCodeBlock *)gmallocn(subband->nXCBs * - subband->nYCBs, + subband->cbs = (JPXCodeBlock *)gmallocn(SafeInt(subband->nXCBs) * + SafeInt(subband->nYCBs), sizeof(JPXCodeBlock)); sbx0 = jpxFloorDivPow2(subband->x0, tileComp->codeBlockW); sby0 = jpxFloorDivPow2(subband->y0, tileComp->codeBlockH); @@ -1899,8 +1899,8 @@ GBool JPXStream::readTilePart() { cb->nextPass = jpxPassCleanup; cb->nZeroBitPlanes = 0; cb->coeffs = - (JPXCoeff *)gmallocn((1 << (tileComp->codeBlockW - + tileComp->codeBlockH)), + (JPXCoeff *)gmallocn((SafeInt(1) << (SafeInt(tileComp->codeBlockW) + + SafeInt(tileComp->codeBlockH)).Int()), sizeof(JPXCoeff)); for (cbi = 0; cbi < (Guint)(1 << (tileComp->codeBlockW Index: poppler-0.10.1/poppler/Link.cc =================================================================== --- poppler-0.10.1.orig/poppler/Link.cc +++ poppler-0.10.1/poppler/Link.cc @@ -857,7 +857,7 @@ Link::~Link() { Links::Links(Object *annots, GooString *baseURI) { Link *link; Object obj1, obj2; - int size; + SafeInt size; int i; links = NULL; Index: poppler-0.10.1/poppler/NameToCharCode.cc =================================================================== --- poppler-0.10.1.orig/poppler/NameToCharCode.cc +++ poppler-0.10.1/poppler/NameToCharCode.cc @@ -49,7 +49,8 @@ NameToCharCode::~NameToCharCode() { void NameToCharCode::add(char *name, CharCode c) { NameToCharCodeEntry *oldTab; - int h, i, oldSize; + int h, i; + SafeInt oldSize; // expand the table if necessary if (len >= size / 2) { @@ -112,5 +113,5 @@ int NameToCharCode::hash(char *name) { for (p = name; *p; ++p) { h = 17 * h + (int)(*p & 0xff); } - return (int)(h % size); + return (int)(h % size.Int()); } Index: poppler-0.10.1/poppler/NameToCharCode.h =================================================================== --- poppler-0.10.1.orig/poppler/NameToCharCode.h +++ poppler-0.10.1/poppler/NameToCharCode.h @@ -33,7 +33,7 @@ private: int hash(char *name); NameToCharCodeEntry *tab; - int size; + SafeInt size; int len; }; Index: poppler-0.10.1/poppler/PSOutputDev.cc =================================================================== --- poppler-0.10.1.orig/poppler/PSOutputDev.cc +++ poppler-0.10.1/poppler/PSOutputDev.cc @@ -2285,11 +2285,11 @@ GooString *PSOutputDev::setupExternalCID if (fontFileNameLen >= fontFileNameSize) { fontFileNameSize += 64; fontFileNames = - (GooString **)grealloc(fontFileNames, - fontFileNameSize * sizeof(GooString *)); + (GooString **)greallocn(fontFileNames, + fontFileNameSize, sizeof(GooString *)); psFileNames = - (GooString **)grealloc(psFileNames, - fontFileNameSize * sizeof(GooString *)); + (GooString **)greallocn(psFileNames, + fontFileNameSize, sizeof(GooString *)); } } fontFileNames[fontFileNameLen] = myFileName; @@ -2306,7 +2306,7 @@ GooString *PSOutputDev::setupExternalCID if ((ffTT = FoFiTrueType::load(fileName->getCString(), faceIndex))) { int n = ((GfxCIDFont *)font)->getCIDToGIDLen(); if (n) { - codeToGID = (Gushort *)gmalloc(n * sizeof(Gushort)); + codeToGID = (Gushort *)gmallocn(n, sizeof(Gushort)); memcpy(codeToGID, ((GfxCIDFont *)font)->getCIDToGID(), n * sizeof(Gushort)); } else { codeToGID = ((GfxCIDFont *)font)->getCodeToGIDMap(ffTT, &n); @@ -4468,7 +4468,7 @@ void PSOutputDev::doImageL1Sep(GfxImageC width, -height, height); // allocate a line buffer - lineBuf = (Guchar *)gmalloc(4 * width); + lineBuf = (Guchar *)gmallocn(4, width); // set up to process the data stream imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(), @@ -4521,7 +4521,8 @@ void PSOutputDev::doImageL2(Object *ref, ImageStream *imgStr; Guchar *line; PSOutImgClipRect *rects0, *rects1, *rectsTmp, *rectsOut; - int rects0Len, rects1Len, rectsSize, rectsOutLen, rectsOutSize; + int rects0Len, rects1Len, rectsOutLen; + SafeInt rectsOutSize, rectsSize; GBool emitRect, addRect, extendRect; GooString *s; int n, numComps; Index: poppler-0.10.1/poppler/PSOutputDev.h =================================================================== --- poppler-0.10.1.orig/poppler/PSOutputDev.h +++ poppler-0.10.1/poppler/PSOutputDev.h @@ -354,10 +354,10 @@ private: Ref *fontIDs; // list of object IDs of all used fonts int fontIDLen; // number of entries in fontIDs array - int fontIDSize; // size of fontIDs array + SafeInt fontIDSize; // size of fontIDs array Ref *fontFileIDs; // list of object IDs of all embedded fonts int fontFileIDLen; // number of entries in fontFileIDs array - int fontFileIDSize; // size of fontFileIDs array + SafeInt fontFileIDSize; // size of fontFileIDs array GooString **fontFileNames; // list of names of all embedded external fonts GooString **psFileNames; // list of names of all embedded external fonts int fontFileNameLen; // number of entries in fontFileNames array @@ -366,16 +366,16 @@ private: // font name PSFont8Info *font8Info; // info for 8-bit fonts int font8InfoLen; // number of entries in font8Info array - int font8InfoSize; // size of font8Info array + SafeInt font8InfoSize; // size of font8Info array PSFont16Enc *font16Enc; // encodings for substitute 16-bit fonts int font16EncLen; // number of entries in font16Enc array - int font16EncSize; // size of font16Enc array + SafeInt font16EncSize; // size of font16Enc array Ref *imgIDs; // list of image IDs for in-memory images int imgIDLen; // number of entries in imgIDs array - int imgIDSize; // size of imgIDs array + SafeInt imgIDSize; // size of imgIDs array Ref *formIDs; // list of IDs for predefined forms int formIDLen; // number of entries in formIDs array - int formIDSize; // size of formIDs array + SafeInt formIDSize; // size of formIDs array GooList *xobjStack; // stack of XObject dicts currently being // processed int numSaves; // current number of gsaves Index: poppler-0.10.1/poppler/SplashOutputDev.cc =================================================================== --- poppler-0.10.1.orig/poppler/SplashOutputDev.cc +++ poppler-0.10.1/poppler/SplashOutputDev.cc @@ -482,8 +482,8 @@ public: int glyphW, glyphH; // size of glyph bitmaps, in pixels GBool validBBox; // false if the bbox was [0 0 0 0] int glyphSize; // size of glyph bitmaps, in bytes - int cacheSets; // number of sets in cache - int cacheAssoc; // cache associativity (glyphs per set) + SafeInt cacheSets; // number of sets in cache + SafeInt cacheAssoc; // cache associativity (glyphs per set) Guchar *cacheData; // glyph pixmap cache T3FontCacheTag *cacheTags; // cache tags, i.e., char codes }; @@ -540,7 +540,7 @@ T3FontCache::T3FontCache(Ref *fontIDA, d cacheTags = (T3FontCacheTag *)gmallocn(cacheSets * cacheAssoc, sizeof(T3FontCacheTag)); for (i = 0; i < cacheSets * cacheAssoc; ++i) { - cacheTags[i].mru = i & (cacheAssoc - 1); + cacheTags[i].mru = i & (cacheAssoc.Int() - 1); } } else @@ -1501,7 +1501,7 @@ GBool SplashOutputDev::beginType3Char(Gf t3Font = t3FontCache[0]; // is the glyph in the cache? - i = (code & (t3Font->cacheSets - 1)) * t3Font->cacheAssoc; + i = (code & (t3Font->cacheSets.Int() - 1)) * t3Font->cacheAssoc.Int(); for (j = 0; j < t3Font->cacheAssoc; ++j) { if (t3Font->cacheTags != NULL) { if ((t3Font->cacheTags[i+j].mru & 0x8000) && @@ -1613,7 +1613,7 @@ void SplashOutputDev::type3D1(GfxState * return; // allocate a cache entry - i = (t3GlyphStack->code & (t3Font->cacheSets - 1)) * t3Font->cacheAssoc; + i = (t3GlyphStack->code & (t3Font->cacheSets.Int() - 1)) * t3Font->cacheAssoc.Int(); for (j = 0; j < t3Font->cacheAssoc; ++j) { if ((t3Font->cacheTags[i+j].mru & 0x7fff) == t3Font->cacheAssoc - 1) { t3Font->cacheTags[i+j].mru = 0x8000; @@ -2000,7 +2000,7 @@ void SplashOutputDev::drawImage(GfxState // build a lookup table here imgData.lookup = NULL; if (colorMap->getNumPixelComps() == 1) { - n = 1 << colorMap->getBits(); + n = (SafeInt(1) << colorMap->getBits()).Int(); switch (colorMode) { case splashModeMono1: case splashModeMono8: @@ -2013,7 +2013,7 @@ void SplashOutputDev::drawImage(GfxState break; case splashModeRGB8: case splashModeBGR8: - imgData.lookup = (SplashColorPtr)gmalloc(3 * n); + imgData.lookup = (SplashColorPtr)gmallocn(3, n); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getRGB(&pix, &rgb); @@ -2023,7 +2023,7 @@ void SplashOutputDev::drawImage(GfxState } break; case splashModeXBGR8: - imgData.lookup = (SplashColorPtr)gmalloc(4 * n); + imgData.lookup = (SplashColorPtr)gmallocn(4, n); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getRGB(&pix, &rgb); @@ -2265,7 +2265,7 @@ void SplashOutputDev::drawMaskedImage(Gf // build a lookup table here imgData.lookup = NULL; if (colorMap->getNumPixelComps() == 1) { - n = 1 << colorMap->getBits(); + n = (SafeInt(1) << colorMap->getBits()).Int(); switch (colorMode) { case splashModeMono1: case splashModeMono8: @@ -2278,7 +2278,7 @@ void SplashOutputDev::drawMaskedImage(Gf break; case splashModeRGB8: case splashModeBGR8: - imgData.lookup = (SplashColorPtr)gmalloc(3 * n); + imgData.lookup = (SplashColorPtr)gmallocn(3, n); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getRGB(&pix, &rgb); @@ -2288,7 +2288,7 @@ void SplashOutputDev::drawMaskedImage(Gf } break; case splashModeXBGR8: - imgData.lookup = (SplashColorPtr)gmalloc(4 * n); + imgData.lookup = (SplashColorPtr)gmallocn(4, n); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getRGB(&pix, &rgb); @@ -2371,7 +2371,7 @@ void SplashOutputDev::drawSoftMaskedImag imgMaskData.width = maskWidth; imgMaskData.height = maskHeight; imgMaskData.y = 0; - n = 1 << maskColorMap->getBits(); + n = (SafeInt(1) << maskColorMap->getBits()).Int(); imgMaskData.lookup = (SplashColorPtr)gmalloc(n); for (i = 0; i < n; ++i) { pix = (Guchar)i; @@ -2408,7 +2408,7 @@ void SplashOutputDev::drawSoftMaskedImag // build a lookup table here imgData.lookup = NULL; if (colorMap->getNumPixelComps() == 1) { - n = 1 << colorMap->getBits(); + n = (SafeInt(1) << maskColorMap->getBits()).Int(); switch (colorMode) { case splashModeMono1: case splashModeMono8: @@ -2421,7 +2421,7 @@ void SplashOutputDev::drawSoftMaskedImag break; case splashModeRGB8: case splashModeBGR8: - imgData.lookup = (SplashColorPtr)gmalloc(3 * n); + imgData.lookup = (SplashColorPtr)gmallocn(3, n); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getRGB(&pix, &rgb); @@ -2431,7 +2431,7 @@ void SplashOutputDev::drawSoftMaskedImag } break; case splashModeXBGR8: - imgData.lookup = (SplashColorPtr)gmalloc(4 * n); + imgData.lookup = (SplashColorPtr)gmallocn(4, n); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getRGB(&pix, &rgb); Index: poppler-0.10.1/poppler/Stream.cc =================================================================== --- poppler-0.10.1.orig/poppler/Stream.cc +++ poppler-0.10.1/poppler/Stream.cc @@ -399,7 +399,7 @@ ImageStream::ImageStream(Stream *strA, i nVals = width * nComps; if (nBits == 1) { - imgLineSize = (nVals + 7) & ~7; + imgLineSize = (SafeInt(nVals) + SafeInt(7)).Int() & ~7; } else { imgLineSize = nVals; } @@ -1346,8 +1346,8 @@ CCITTFaxStream::CCITTFaxStream(Stream *s // ---> max codingLine size = columns + 1 // refLine has one extra guard entry at the end // ---> max refLine size = columns + 2 - codingLine = (int *)gmallocn_checkoverflow(columns + 1, sizeof(int)); - refLine = (int *)gmallocn_checkoverflow(columns + 2, sizeof(int)); + codingLine = (int *)gmallocn_checkoverflow(SafeInt(columns) + SafeInt(1), sizeof(int)); + refLine = (int *)gmallocn_checkoverflow(SafeInt(columns) + SafeInt(2), sizeof(int)); if (codingLine != NULL && refLine != NULL) { eof = gFalse; @@ -2083,7 +2083,7 @@ void DCTStream::reset() { unfilteredReset(); if (!readHeader()) { - y = height; + y = height.Int(); return; } @@ -2128,12 +2128,12 @@ void DCTStream::reset() { if (bufWidth <= 0 || bufHeight <= 0 || bufWidth > INT_MAX / bufWidth / (int)sizeof(int)) { error(getPos(), "Invalid image size in DCT stream"); - y = height; + y = height.Int(); return; } for (i = 0; i < numComps; ++i) { frameBuf[i] = (int *)gmallocn(bufWidth * bufHeight, sizeof(int)); - memset(frameBuf[i], 0, bufWidth * bufHeight * sizeof(int)); + memset(frameBuf[i], 0, (bufWidth * bufHeight * sizeof(int)).Int()); } // read the image data @@ -2165,7 +2165,7 @@ void DCTStream::reset() { comp = 0; x = 0; y = 0; - dy = mcuHeight; + dy = mcuHeight.Int(); restartMarker = 0xd0; restart(); @@ -2193,7 +2193,7 @@ int DCTStream::getChar() { return EOF; } if (progressive || !interleaved) { - c = frameBuf[comp][y * bufWidth + x]; + c = frameBuf[comp][y * bufWidth.Int() + x]; if (++comp == numComps) { comp = 0; if (++x == width) { @@ -2204,7 +2204,7 @@ int DCTStream::getChar() { } else { if (dy >= mcuHeight) { if (!readMCURow()) { - y = height; + y = height.Int(); return EOF; } comp = 0; @@ -2232,11 +2232,11 @@ int DCTStream::lookChar() { return EOF; } if (progressive || !interleaved) { - return frameBuf[comp][y * bufWidth + x]; + return frameBuf[comp][y * bufWidth.Int() + x]; } else { if (dy >= mcuHeight) { if (!readMCURow()) { - y = height; + y = height.Int(); return EOF; } comp = 0; @@ -2268,7 +2268,7 @@ GBool DCTStream::readMCURow() { int x1, x2, y2, x3, y3, x4, y4, x5, y5, cc, i; int c; - for (x1 = 0; x1 < width; x1 += mcuWidth) { + for (x1 = 0; x1 < width; x1 += mcuWidth.Int()) { // deal with restart marker if (restartInterval > 0 && restartCtr == 0) { @@ -2286,8 +2286,8 @@ GBool DCTStream::readMCURow() { for (cc = 0; cc < numComps; ++cc) { h = compInfo[cc].hSample; v = compInfo[cc].vSample; - horiz = mcuWidth / h; - vert = mcuHeight / v; + horiz = mcuWidth.Int() / h; + vert = mcuHeight.Int() / v; hSub = horiz / 8; vSub = vert / 8; for (y2 = 0; y2 < mcuHeight; y2 += vert) { @@ -2393,11 +2393,11 @@ void DCTStream::readScan() { break; } } - dx1 = mcuWidth / compInfo[cc].hSample; - dy1 = mcuHeight / compInfo[cc].vSample; + dx1 = mcuWidth.Int() / compInfo[cc].hSample; + dy1 = mcuHeight.Int() / compInfo[cc].vSample; } else { - dx1 = mcuWidth; - dy1 = mcuHeight; + dx1 = mcuWidth.Int(); + dy1 = mcuHeight.Int(); } for (y1 = 0; y1 < height; y1 += dy1) { @@ -2424,14 +2424,14 @@ void DCTStream::readScan() { h = compInfo[cc].hSample; v = compInfo[cc].vSample; - horiz = mcuWidth / h; - vert = mcuHeight / v; + horiz = mcuWidth.Int() / h; + vert = mcuHeight.Int() / v; vSub = vert / 8; for (y2 = 0; y2 < dy1; y2 += vert) { for (x2 = 0; x2 < dx1; x2 += horiz) { // pull out the current values - p1 = &frameBuf[cc][(y1+y2) * bufWidth + (x1+x2)]; + p1 = &frameBuf[cc][(y1+y2) * bufWidth.Int() + (x1+x2)]; for (y3 = 0, i = 0; y3 < 8; ++y3, i += 8) { data[i] = p1[0]; data[i+1] = p1[1]; @@ -2441,7 +2441,7 @@ void DCTStream::readScan() { data[i+5] = p1[5]; data[i+6] = p1[6]; data[i+7] = p1[7]; - p1 += bufWidth * vSub; + p1 += bufWidth.Int() * vSub; } // read one data unit @@ -2463,7 +2463,7 @@ void DCTStream::readScan() { } // add the data unit into frameBuf - p1 = &frameBuf[cc][(y1+y2) * bufWidth + (x1+x2)]; + p1 = &frameBuf[cc][(y1+y2) * bufWidth.Int() + (x1+x2)]; for (y3 = 0, i = 0; y3 < 8; ++y3, i += 8) { p1[0] = data[i]; p1[1] = data[i+1]; @@ -2473,7 +2473,7 @@ void DCTStream::readScan() { p1[5] = data[i+5]; p1[6] = data[i+6]; p1[7] = data[i+7]; - p1 += bufWidth * vSub; + p1 += bufWidth.Int() * vSub; } } } @@ -2670,21 +2670,21 @@ void DCTStream::decodeImage() { int h, v, horiz, vert, hSub, vSub; int *p0, *p1, *p2; - for (y1 = 0; y1 < bufHeight; y1 += mcuHeight) { - for (x1 = 0; x1 < bufWidth; x1 += mcuWidth) { + for (y1 = 0; y1 < bufHeight; y1 += mcuHeight.Int()) { + for (x1 = 0; x1 < bufWidth; x1 += mcuWidth.Int()) { for (cc = 0; cc < numComps; ++cc) { quantTable = quantTables[compInfo[cc].quantTable]; h = compInfo[cc].hSample; v = compInfo[cc].vSample; - horiz = mcuWidth / h; - vert = mcuHeight / v; + horiz = mcuWidth.Int() / h; + vert = mcuHeight.Int() / v; hSub = horiz / 8; vSub = vert / 8; for (y2 = 0; y2 < mcuHeight; y2 += vert) { for (x2 = 0; x2 < mcuWidth; x2 += horiz) { // pull out the coded data unit - p1 = &frameBuf[cc][(y1+y2) * bufWidth + (x1+x2)]; + p1 = &frameBuf[cc][(y1+y2) * bufWidth.Int() + (x1+x2)]; for (y3 = 0, i = 0; y3 < 8; ++y3, i += 8) { dataIn[i] = p1[0]; dataIn[i+1] = p1[1]; @@ -2694,7 +2694,7 @@ void DCTStream::decodeImage() { dataIn[i+5] = p1[5]; dataIn[i+6] = p1[6]; dataIn[i+7] = p1[7]; - p1 += bufWidth * vSub; + p1 += bufWidth.Int() * vSub; } // transform @@ -2702,7 +2702,7 @@ void DCTStream::decodeImage() { // store back into frameBuf, doing replication for // subsampled components - p1 = &frameBuf[cc][(y1+y2) * bufWidth + (x1+x2)]; + p1 = &frameBuf[cc][(y1+y2) * bufWidth.Int() + (x1+x2)]; if (hSub == 1 && vSub == 1) { for (y3 = 0, i = 0; y3 < 8; ++y3, i += 8) { p1[0] = dataOut[i] & 0xff; @@ -2713,10 +2713,10 @@ void DCTStream::decodeImage() { p1[5] = dataOut[i+5] & 0xff; p1[6] = dataOut[i+6] & 0xff; p1[7] = dataOut[i+7] & 0xff; - p1 += bufWidth; + p1 += bufWidth.Int(); } } else if (hSub == 2 && vSub == 2) { - p2 = p1 + bufWidth; + p2 = p1 + bufWidth.Int(); for (y3 = 0, i = 0; y3 < 16; y3 += 2, i += 8) { p1[0] = p1[1] = p2[0] = p2[1] = dataOut[i] & 0xff; p1[2] = p1[3] = p2[2] = p2[3] = dataOut[i+1] & 0xff; @@ -2726,8 +2726,8 @@ void DCTStream::decodeImage() { p1[10] = p1[11] = p2[10] = p2[11] = dataOut[i+5] & 0xff; p1[12] = p1[13] = p2[12] = p2[13] = dataOut[i+6] & 0xff; p1[14] = p1[15] = p2[14] = p2[15] = dataOut[i+7] & 0xff; - p1 += bufWidth * 2; - p2 += bufWidth * 2; + p1 += bufWidth.Int() * 2; + p2 += bufWidth.Int() * 2; } } else { i = 0; @@ -2738,11 +2738,11 @@ void DCTStream::decodeImage() { for (x5 = 0; x5 < hSub; ++x5) { p2[x5] = dataOut[i] & 0xff; } - p2 += bufWidth; + p2 += bufWidth.Int(); } ++i; } - p1 += bufWidth * vSub; + p1 += bufWidth.Int() * vSub; } } } @@ -2754,9 +2754,9 @@ void DCTStream::decodeImage() { // convert YCbCr to RGB if (numComps == 3) { for (y2 = 0; y2 < mcuHeight; ++y2) { - p0 = &frameBuf[0][(y1+y2) * bufWidth + x1]; - p1 = &frameBuf[1][(y1+y2) * bufWidth + x1]; - p2 = &frameBuf[2][(y1+y2) * bufWidth + x1]; + p0 = &frameBuf[0][(y1+y2) * bufWidth.Int() + x1]; + p1 = &frameBuf[1][(y1+y2) * bufWidth.Int() + x1]; + p2 = &frameBuf[2][(y1+y2) * bufWidth.Int() + x1]; for (x2 = 0; x2 < mcuWidth; ++x2) { pY = *p0; pCb = *p1 - 128; @@ -2773,9 +2773,9 @@ void DCTStream::decodeImage() { // convert YCbCrK to CMYK (K is passed through unchanged) } else if (numComps == 4) { for (y2 = 0; y2 < mcuHeight; ++y2) { - p0 = &frameBuf[0][(y1+y2) * bufWidth + x1]; - p1 = &frameBuf[1][(y1+y2) * bufWidth + x1]; - p2 = &frameBuf[2][(y1+y2) * bufWidth + x1]; + p0 = &frameBuf[0][(y1+y2) * bufWidth.Int() + x1]; + p1 = &frameBuf[1][(y1+y2) * bufWidth.Int() + x1]; + p2 = &frameBuf[2][(y1+y2) * bufWidth.Int() + x1]; for (x2 = 0; x2 < mcuWidth; ++x2) { pY = *p0; pCb = *p1 - 128; @@ -4437,7 +4437,7 @@ void FlateStream::compHuffmanCodes(int * } // allocate the table - tabSize = 1 << tab->maxLen; + tabSize = (SafeInt(1) << tab->maxLen).Int(); tab->codes = (FlateCode *)gmallocn(tabSize, sizeof(FlateCode)); // clear the table Index: poppler-0.10.1/poppler/Stream.h =================================================================== --- poppler-0.10.1.orig/poppler/Stream.h +++ poppler-0.10.1/poppler/Stream.h @@ -695,9 +695,9 @@ private: GBool progressive; // set if in progressive mode GBool interleaved; // set if in interleaved mode - int width, height; // image size - int mcuWidth, mcuHeight; // size of min coding unit, in data units - int bufWidth, bufHeight; // frameBuf size + SafeInt width, height; // image size + SafeInt mcuWidth, mcuHeight; // size of min coding unit, in data units + SafeInt bufWidth, bufHeight; // frameBuf size DCTCompInfo compInfo[4]; // info for each component DCTScanInfo scanInfo; // info for the current scan int numComps; // number of components in image Index: poppler-0.10.1/poppler/TextOutputDev.cc =================================================================== --- poppler-0.10.1.orig/poppler/TextOutputDev.cc +++ poppler-0.10.1/poppler/TextOutputDev.cc @@ -287,7 +287,7 @@ TextWord::TextWord(GfxState *state, int text = NULL; charcode = NULL; edge = NULL; - len = size = 0; + size = len = 0; spaceAfter = gFalse; next = NULL; @@ -373,10 +373,10 @@ void TextWord::merge(TextWord *word) { yMax = word->yMax; } if (len + word->len > size) { - size = len + word->len; + size = SafeInt(len) + SafeInt(word->len); text = (Unicode *)greallocn(text, size, sizeof(Unicode)); charcode = (CharCode *)greallocn(charcode, (size + 1), sizeof(CharCode)); - edge = (double *)greallocn(edge, (size + 1), sizeof(double)); + edge = (double *)greallocn(edge, (size + SafeInt(1)), sizeof(double)); } for (i = 0; i < word->len; ++i) { text[len + i] = word->text[i]; @@ -510,11 +510,11 @@ TextPool::TextPool() { } TextPool::~TextPool() { - int baseIdx; + SafeInt baseIdx; TextWord *word, *word2; for (baseIdx = minBaseIdx; baseIdx <= maxBaseIdx; ++baseIdx) { - for (word = pool[baseIdx - minBaseIdx]; word; word = word2) { + for (word = pool[(baseIdx - minBaseIdx).Int()]; word; word = word2) { word2 = word->next; delete word; } @@ -527,17 +527,17 @@ int TextPool::getBaseIdx(double base) { baseIdx = (int)(base / textPoolStep); if (baseIdx < minBaseIdx) { - return minBaseIdx; + return minBaseIdx.Int(); } if (baseIdx > maxBaseIdx) { - return maxBaseIdx; + return maxBaseIdx.Int(); } return baseIdx; } void TextPool::addWord(TextWord *word) { TextWord **newPool; - int wordBaseIdx, newMinBaseIdx, newMaxBaseIdx, baseIdx; + SafeInt wordBaseIdx, newMinBaseIdx, newMaxBaseIdx, baseIdx; TextWord *w0, *w1; // expand the array if needed @@ -545,29 +545,29 @@ void TextPool::addWord(TextWord *word) { if (minBaseIdx > maxBaseIdx) { minBaseIdx = wordBaseIdx - 128; maxBaseIdx = wordBaseIdx + 128; - pool = (TextWord **)gmallocn(maxBaseIdx - minBaseIdx + 1, + pool = (TextWord **)gmallocn(maxBaseIdx - minBaseIdx + SafeInt(1), sizeof(TextWord *)); for (baseIdx = minBaseIdx; baseIdx <= maxBaseIdx; ++baseIdx) { - pool[baseIdx - minBaseIdx] = NULL; + pool[(baseIdx - minBaseIdx).Int()] = NULL; } } else if (wordBaseIdx < minBaseIdx) { newMinBaseIdx = wordBaseIdx - 128; - newPool = (TextWord **)gmallocn(maxBaseIdx - newMinBaseIdx + 1, + newPool = (TextWord **)gmallocn(maxBaseIdx - newMinBaseIdx + SafeInt(1), sizeof(TextWord *)); for (baseIdx = newMinBaseIdx; baseIdx < minBaseIdx; ++baseIdx) { - newPool[baseIdx - newMinBaseIdx] = NULL; + newPool[(baseIdx - newMinBaseIdx).Int()] = NULL; } - memcpy(&newPool[minBaseIdx - newMinBaseIdx], pool, - (maxBaseIdx - minBaseIdx + 1) * sizeof(TextWord *)); + memcpy(&newPool[(minBaseIdx - newMinBaseIdx).Int()], pool, + ((maxBaseIdx - minBaseIdx + 1) * sizeof(TextWord *)).Int()); gfree(pool); pool = newPool; minBaseIdx = newMinBaseIdx; } else if (wordBaseIdx > maxBaseIdx) { newMaxBaseIdx = wordBaseIdx + 128; - pool = (TextWord **)greallocn(pool, newMaxBaseIdx - minBaseIdx + 1, + pool = (TextWord **)greallocn(pool, newMaxBaseIdx - minBaseIdx + SafeInt(1), sizeof(TextWord *)); for (baseIdx = maxBaseIdx + 1; baseIdx <= newMaxBaseIdx; ++baseIdx) { - pool[baseIdx - minBaseIdx] = NULL; + pool[(baseIdx - minBaseIdx).Int()] = NULL; } maxBaseIdx = newMaxBaseIdx; } @@ -579,17 +579,17 @@ void TextPool::addWord(TextWord *word) { w1 = cursor->next; } else { w0 = NULL; - w1 = pool[wordBaseIdx - minBaseIdx]; + w1 = pool[(wordBaseIdx - minBaseIdx).Int()]; } for (; w1 && word->primaryCmp(w1) > 0; w0 = w1, w1 = w1->next) ; word->next = w1; if (w0) { w0->next = word; } else { - pool[wordBaseIdx - minBaseIdx] = word; + pool[(wordBaseIdx - minBaseIdx).Int()] = word; } cursor = word; - cursorBaseIdx = wordBaseIdx; + cursorBaseIdx = wordBaseIdx.Int(); } //------------------------------------------------------------------------ @@ -799,7 +799,7 @@ void TextLine::coalesce(UnicodeMap *uMap } } text = (Unicode *)gmallocn(len, sizeof(Unicode)); - edge = (double *)gmallocn(len + 1, sizeof(double)); + edge = (double *)gmallocn(len + SafeInt(1), sizeof(double)); i = 0; for (word1 = words; word1; word1 = word1->next) { for (j = 0; j < word1->len; ++j) { @@ -815,7 +815,7 @@ void TextLine::coalesce(UnicodeMap *uMap } // compute convertedLen and set up the col array - col = (int *)gmallocn(len + 1, sizeof(int)); + col = (int *)gmallocn(len + SafeInt(1), sizeof(int)); convertedLen = 0; for (i = 0; i < len; ++i) { col[i] = convertedLen; @@ -825,11 +825,11 @@ void TextLine::coalesce(UnicodeMap *uMap convertedLen += uMap->mapUnicode(text[i], buf, sizeof(buf)); } } - col[len] = convertedLen; + col[len.Int()] = convertedLen; // check for hyphen at end of line //~ need to check for other chars used as hyphens - hyphenated = text[len - 1] == (Unicode)'-'; + hyphenated = text[(len - 1).Int()] == (Unicode)'-'; } //------------------------------------------------------------------------ @@ -1199,7 +1199,7 @@ void TextBlock::coalesce(UnicodeMap *uMa int i, j, k; // discard duplicated text (fake boldface, drop shadows) - for (idx0 = pool->minBaseIdx; idx0 <= pool->maxBaseIdx; ++idx0) { + for (idx0 = pool->minBaseIdx.Int(); idx0 <= pool->maxBaseIdx.Int(); ++idx0) { word0 = pool->getPool(idx0); while (word0) { priDelta = dupMaxPriDelta * word0->fontSize; @@ -1263,7 +1263,7 @@ void TextBlock::coalesce(UnicodeMap *uMa // build the lines curLine = NULL; - poolMinBaseIdx = pool->minBaseIdx; + poolMinBaseIdx = pool->minBaseIdx.Int(); charCount = 0; nLines = 0; while (1) { @@ -1365,7 +1365,7 @@ void TextBlock::coalesce(UnicodeMap *uMa line->next = line1; curLine = line; line->coalesce(uMap); - charCount += line->len; + charCount += line->len.Int(); ++nLines; } @@ -1374,7 +1374,7 @@ void TextBlock::coalesce(UnicodeMap *uMa for (line = lines, i = 0; line; line = line->next, ++i) { lineArray[i] = line; } - qsort(lineArray, nLines, sizeof(TextLine *), &TextLine::cmpXY); + qsort(lineArray, nLines.Int(), sizeof(TextLine *), &TextLine::cmpXY); // column assignment nColumns = 0; @@ -1384,7 +1384,7 @@ void TextBlock::coalesce(UnicodeMap *uMa for (j = 0; j < i; ++j) { line1 = lineArray[j]; if (line1->primaryDelta(line0) >= 0) { - col2 = line1->col[line1->len] + 1; + col2 = line1->col[line1->len.Int()] + 1; } else { k = 0; // make gcc happy switch (rot) { @@ -1422,8 +1422,8 @@ void TextBlock::coalesce(UnicodeMap *uMa for (k = 0; k <= line0->len; ++k) { line0->col[k] += col1; } - if (line0->col[line0->len] > nColumns) { - nColumns = line0->col[line0->len]; + if (line0->col[line0->len.Int()] > nColumns) { + nColumns = line0->col[line0->len.Int()]; } } gfree(lineArray); @@ -1696,7 +1696,8 @@ TextWordList::TextWordList(TextPage *tex TextLine *line; TextWord *word; TextWord **wordArray; - int nWords, i; + SafeInt nWords; + int i; words = new GooList(); @@ -1729,7 +1730,7 @@ TextWordList::TextWordList(TextPage *tex } } } - qsort(wordArray, nWords, sizeof(TextWord *), &TextWord::cmpYX); + qsort(wordArray, nWords.Int(), sizeof(TextWord *), &TextWord::cmpYX); for (i = 0; i < nWords; ++i) { words->append(wordArray[i]); } @@ -2180,7 +2181,8 @@ void TextPage::coalesce(GBool physLayout GBool found; int count[4]; int lrCount; - int firstBlkIdx, nBlocksLeft; + int firstBlkIdx; + SafeInt nBlocksLeft; int col1, col2; int i, j, n; @@ -2366,7 +2368,7 @@ void TextPage::coalesce(GBool physLayout // build blocks for each rotation value for (rot = 0; rot < 4; ++rot) { pool = pools[rot]; - poolMinBaseIdx = pool->minBaseIdx; + poolMinBaseIdx = pool->minBaseIdx.Int(); count[rot] = 0; // add blocks until no more words are left @@ -2736,7 +2738,7 @@ void TextPage::coalesce(GBool physLayout for (blk = blkList, i = 0; blk; blk = blk->next, ++i) { blocks[i] = blk; } - qsort(blocks, nBlocks, sizeof(TextBlock *), &TextBlock::cmpXYPrimaryRot); + qsort(blocks, nBlocks.Int(), sizeof(TextBlock *), &TextBlock::cmpXYPrimaryRot); // column assignment for (i = 0; i < nBlocks; ++i) { @@ -2828,7 +2830,7 @@ void TextPage::coalesce(GBool physLayout //----- reading order sort // sort blocks into yx order (in preparation for reading order sort) - qsort(blocks, nBlocks, sizeof(TextBlock *), &TextBlock::cmpYXPrimaryRot); + qsort(blocks, nBlocks.Int(), sizeof(TextBlock *), &TextBlock::cmpYXPrimaryRot); // compute space on left and right sides of each block for (i = 0; i < nBlocks; ++i) { @@ -2868,7 +2870,7 @@ void TextPage::coalesce(GBool physLayout //~ this needs to be adjusted for writing mode (vertical text) //~ this also needs to account for right-to-left column ordering blkArray = (TextBlock **)gmallocn(nBlocks, sizeof(TextBlock *)); - memcpy(blkArray, blocks, nBlocks * sizeof(TextBlock *)); + memcpy(blkArray, blocks, nBlocks.Int() * sizeof(TextBlock *)); while (flows) { flow = flows; flows = flows->next; @@ -3045,7 +3047,7 @@ GBool TextPage::findText(Unicode *s, int xMin0 = xMax0 = yMin0 = yMax0 = 0; // make gcc happy xMin1 = xMax1 = yMin1 = yMax1 = 0; // make gcc happy - for (i = backward ? nBlocks - 1 : 0; + for (i = backward ? (nBlocks - 1).Int() : 0; backward ? i >= 0 : i < nBlocks; i += backward ? -1 : 1) { blk = blocks[i]; @@ -3075,7 +3077,7 @@ GBool TextPage::findText(Unicode *s, int } if (!line->normalized) - line->normalized = unicodeNormalizeNFKC(line->text, line->len, + line->normalized = unicodeNormalizeNFKC(line->text, line->len.Int(), &line->normalized_len, &line->normalized_idx); // convert the line to uppercase @@ -3205,7 +3207,8 @@ GooString *TextPage::getText(double xMin TextBlock *blk; TextLine *line; TextLineFrag *frags; - int nFrags, fragsSize; + int nFrags; + SafeInt fragsSize; TextLineFrag *frag; char space[8], eol[16]; int spaceLen, eolLen; @@ -3268,7 +3271,7 @@ GooString *TextPage::getText(double xMin } ++j; } - j = line->len - 1; + j = (line->len - 1).Int(); while (j >= 0) { if (0.5 * (line->edge[j] + line->edge[j+1]) < xMax) { idx1 = j; @@ -3289,7 +3292,7 @@ GooString *TextPage::getText(double xMin } ++j; } - j = line->len - 1; + j = (line->len - 1).Int(); while (j >= 0) { if (0.5 * (line->edge[j] + line->edge[j+1]) < yMax) { idx1 = j; @@ -3310,7 +3313,7 @@ GooString *TextPage::getText(double xMin } ++j; } - j = line->len - 1; + j = (line->len - 1).Int(); while (j >= 0) { if (0.5 * (line->edge[j] + line->edge[j+1]) > xMin) { idx1 = j; @@ -3331,7 +3334,7 @@ GooString *TextPage::getText(double xMin } ++j; } - j = line->len - 1; + j = (line->len - 1).Int(); while (j >= 0) { if (0.5 * (line->edge[j] + line->edge[j+1]) > yMin) { idx1 = j; @@ -3800,8 +3803,8 @@ void TextLine::visitSelection(TextSelect (selection->x2 < p->xMax && selection->y2 < p->yMax)) if (begin == NULL) begin = p; - if ((selection->x1 > p->xMin && selection->y1 > p->yMin || - selection->x2 > p->xMin && selection->y2 > p->yMin) && (begin != NULL)) { + if (((selection->x1 > p->xMin && selection->y1 > p->yMin) || + (selection->x2 > p->xMin && selection->y2 > p->yMin)) && (begin != NULL)) { end = p->next; current = p; } @@ -3820,7 +3823,7 @@ void TextLine::visitSelection(TextSelect } } - edge_begin = len; + edge_begin = len.Int(); edge_end = 0; for (i = 0; i < len; i++) { double mid = (edge[i] + edge[i + 1]) / 2; @@ -3885,8 +3888,8 @@ void TextBlock::visitSelection(TextSelec stop_y = selection->y1; } - if ((selection->x1 > p->xMin && selection->y1 > p->yMin || - selection->x2 > p->xMin && selection->y2 > p->yMin) && (begin != NULL)) + if (((selection->x1 > p->xMin && selection->y1 > p->yMin) || + (selection->x2 > p->xMin && selection->y2 > p->yMin)) && (begin != NULL)) end = p->next; } @@ -3925,7 +3928,7 @@ void TextPage::visitSelection(TextSelect double start_x, start_y, stop_x, stop_y; TextBlock *b; - begin = nBlocks; + begin = nBlocks.Int(); end = 0; start_x = selection->x1; start_y = selection->y1; @@ -3963,8 +3966,8 @@ void TextPage::visitSelection(TextSelect stop_y = selection->y1; } - if (selection->x1 > b->xMin && selection->y1 > b->yMin || - selection->x2 > b->xMin && selection->y2 > b->yMin) + if ((selection->x1 > b->xMin && selection->y1 > b->yMin) || + (selection->x2 > b->xMin && selection->y2 > b->yMin)) end = i + 1; } @@ -4120,7 +4123,8 @@ void TextPage::dump(void *outputStream, TextLine *line; TextLineFrag *frags; TextWord *word; - int nFrags, fragsSize; + int nFrags; + SafeInt fragsSize; TextLineFrag *frag; char space[8], eol[16], eop[8]; int spaceLen, eolLen, eopLen; @@ -4186,7 +4190,7 @@ void TextPage::dump(void *outputStream, frags = (TextLineFrag *)greallocn(frags, fragsSize, sizeof(TextLineFrag)); } - frags[nFrags].init(line, 0, line->len); + frags[nFrags].init(line, 0, line->len.Int()); frags[nFrags].computeCoords(gTrue); ++nFrags; } @@ -4263,7 +4267,7 @@ void TextPage::dump(void *outputStream, for (flow = flows; flow; flow = flow->next) { for (blk = flow->blocks; blk; blk = blk->next) { for (line = blk->lines; line; line = line->next) { - n = line->len; + n = line->len.Int(); if (line->hyphenated && (line->next || blk->next)) { --n; } Index: poppler-0.10.1/poppler/TextOutputDev.h =================================================================== --- poppler-0.10.1.orig/poppler/TextOutputDev.h +++ poppler-0.10.1/poppler/TextOutputDev.h @@ -176,7 +176,7 @@ private: double *edge; // "near" edge x or y coord of each char // (plus one extra entry for the last char) int len; // length of text and edge arrays - int size; // size of text and edge arrays + SafeInt size; // size of text and edge arrays int charPos; // character position (within content stream) int charLen; // number of content stream characters in // this word @@ -216,8 +216,8 @@ public: TextPool(); ~TextPool(); - TextWord *getPool(int baseIdx) { return pool[baseIdx - minBaseIdx]; } - void setPool(int baseIdx, TextWord *p) { pool[baseIdx - minBaseIdx] = p; } + TextWord *getPool(int baseIdx) { return pool[(baseIdx - minBaseIdx).Int()]; } + void setPool(int baseIdx, TextWord *p) { pool[(baseIdx - minBaseIdx).Int()] = p; } int getBaseIdx(double base); @@ -225,8 +225,8 @@ public: private: - int minBaseIdx; // min baseline bucket index - int maxBaseIdx; // max baseline bucket index + SafeInt minBaseIdx; // min baseline bucket index + SafeInt maxBaseIdx; // max baseline bucket index TextWord **pool; // array of linked lists, one for each // baseline value (multiple of 4 pts) TextWord *cursor; // pointer to last-accessed word @@ -296,7 +296,7 @@ private: double *edge; // "near" edge x or y coord of each char // (plus one extra entry for the last char) int *col; // starting column number of each Unicode char - int len; // number of Unicode chars + SafeInt len; // number of Unicode chars int convertedLen; // total number of converted characters GBool hyphenated; // set if last char is a hyphen TextLine *next; // next line in block @@ -357,7 +357,7 @@ public: void getBBox(double *xMinA, double *yMinA, double *xMaxA, double *yMaxA) { *xMinA = xMin; *yMinA = yMin; *xMaxA = xMax; *yMaxA = yMax; } - int getLineCount() { return nLines; } + int getLineCount() { return nLines.Int(); } private: @@ -371,7 +371,7 @@ private: // are built) TextLine *lines; // linked list of lines TextLine *curLine; // most recently added line - int nLines; // number of lines + SafeInt nLines; // number of lines int charCount; // number of characters in the block int col; // starting column int nColumns; // number of columns in the block @@ -581,7 +581,7 @@ private: TextPool *pools[4]; // a "pool" of TextWords for each rotation TextFlow *flows; // linked list of flows TextBlock **blocks; // array of blocks, in yx order - int nBlocks; // number of blocks + SafeInt nBlocks; // number of blocks int primaryRot; // primary rotation GBool primaryLR; // primary direction (true means L-to-R, // false means R-to-L) Index: poppler-0.10.1/poppler/UnicodeMap.cc =================================================================== --- poppler-0.10.1.orig/poppler/UnicodeMap.cc +++ poppler-0.10.1/poppler/UnicodeMap.cc @@ -39,7 +39,7 @@ UnicodeMap *UnicodeMap::parse(GooString UnicodeMap *map; UnicodeMapRange *range; UnicodeMapExt *eMap; - int size, eMapsSize; + SafeInt size, eMapsSize; char buf[256]; int line, nBytes, i, x; char *tok1, *tok2, *tok3; Index: poppler-0.10.1/poppler/XRef.cc =================================================================== --- poppler-0.10.1.orig/poppler/XRef.cc +++ poppler-0.10.1/poppler/XRef.cc @@ -400,8 +400,8 @@ GBool XRef::readXRefTable(Parser *parser GBool more; Object obj, obj2; Guint pos2; - int first, n, newSize, i; - + int first, n, i; + SafeInt newSize; while (1) { parser->getObj(&obj); if (obj.isCmd("trailer")) { @@ -422,7 +422,7 @@ GBool XRef::readXRefTable(Parser *parser goto err1; } if (first + n > size) { - for (newSize = size ? 2 * size : 1024; + for (newSize = size ? SafeInt(2) * SafeInt(size) : 1024; first + n > newSize && newSize > 0; newSize <<= 1) ; if (newSize < 0) { @@ -441,7 +441,7 @@ GBool XRef::readXRefTable(Parser *parser entries[i].updated = false; entries[i].gen = 0; } - size = newSize; + size = newSize.Int(); } for (i = first; i < first + n; ++i) { if (!parser->getObj(&obj)->isInt()) { @@ -629,13 +629,14 @@ GBool XRef::readXRefStream(Stream *xrefS GBool XRef::readXRefStreamSection(Stream *xrefStr, int *w, int first, int n) { Guint offset; - int type, gen, c, newSize, i, j; + int type, gen, c, i, j; + SafeInt newSize; if (first + n < 0) { return gFalse; } if (first + n > size) { - for (newSize = size ? 2 * size : 1024; + for (newSize = size ? SafeInt(2) * SafeInt(size) : 1024; first + n > newSize && newSize > 0; newSize <<= 1) ; if (newSize < 0) { @@ -653,7 +654,7 @@ GBool XRef::readXRefStreamSection(Stream entries[i].updated = false; entries[i].gen = 0; } - size = newSize; + size = newSize.Int(); } for (i = first; i < first + n; ++i) { if (w[0] == 0) { @@ -711,8 +712,8 @@ GBool XRef::constructXRef() { char buf[256]; Guint pos; int num, gen; - int newSize; - int streamEndsSize; + SafeInt newSize; + SafeInt streamEndsSize; char *p; int i; GBool gotRoot; @@ -723,7 +724,7 @@ GBool XRef::constructXRef() { error(-1, "PDF file is damaged - attempting to reconstruct xref table..."); gotRoot = gFalse; - streamEndsLen = streamEndsSize = 0; + streamEndsSize = streamEndsLen = 0; str->reset(); while (1) { @@ -782,7 +783,7 @@ GBool XRef::constructXRef() { } while (*p && isspace(*p)); if (!strncmp(p, "obj", 3)) { if (num >= size) { - newSize = (num + 1 + 255) & ~255; + newSize = (SafeInt(num) + 1 + 255).Int() & ~255; if (newSize < 0) { error(-1, "Bad object number"); return gFalse; @@ -799,7 +800,7 @@ GBool XRef::constructXRef() { entries[i].obj.initNull (); entries[i].updated = false; } - size = newSize; + size = newSize.Int(); } if (entries[num].type == xrefEntryFree || gen >= entries[num].gen) { Index: poppler-0.10.1/utils/pdffonts.cc =================================================================== --- poppler-0.10.1.orig/utils/pdffonts.cc +++ poppler-0.10.1/utils/pdffonts.cc @@ -164,7 +164,7 @@ int main(int argc, char *argv[]) { printf("name type emb sub uni object ID\n"); printf("------------------------------------ ----------------- --- --- --- ---------\n"); fonts = NULL; - fontsLen = fontsSize = 0; + fontsSize = fontsLen = 0; for (pg = firstPage; pg <= lastPage; ++pg) { page = doc->getCatalog()->getPage(pg); if ((resDict = page->getResourceDict())) { Index: poppler-0.10.1/poppler/CairoFontEngine.cc =================================================================== --- poppler-0.10.1.orig/poppler/CairoFontEngine.cc +++ poppler-0.10.1/poppler/CairoFontEngine.cc @@ -251,7 +251,7 @@ CairoFont *CairoFont::create(GfxFont *gf cairo_font_face_t *font_face; Gushort *codeToGID; - int codeToGIDLen; + SafeInt codeToGIDLen; dfp = NULL; codeToGID = NULL; @@ -417,7 +417,7 @@ CairoFont *CairoFont::create(GfxFont *gf return new CairoFont(ref, font_face, face, - codeToGID, codeToGIDLen, + codeToGID, codeToGIDLen.Int(), substitute); err2: