mirror of
https://github.com/simon987/antiword.git
synced 2025-04-03 07:42:59 +00:00
Add more bounds checking
This commit is contained in:
parent
62ae66db99
commit
b9afdb0561
@ -253,7 +253,7 @@
|
||||
|
||||
#define BUF_AUC 1
|
||||
extern void setBufferSize(ULONG size);
|
||||
extern BOOL isOutOfBounds(ULONG offset);
|
||||
extern BOOL isOutOfBounds(ULONG offset, size_t size);
|
||||
|
||||
/* Prototypes */
|
||||
|
||||
|
||||
21
src/pdf.c
21
src/pdf.c
@ -514,6 +514,7 @@ vMove2NextPage(diagram_type *pDiag, BOOL bNewSection)
|
||||
vAddHeader(pDiag);
|
||||
} /* end of vMove2NextPage */
|
||||
|
||||
#define VMOVETO_MAX_DEPTH 300
|
||||
/*
|
||||
* vMoveTo - move to the specified X,Y coordinates
|
||||
*
|
||||
@ -527,7 +528,24 @@ vMoveTo(diagram_type *pDiag, long lLastVerticalMovement)
|
||||
fail(pDiag->pOutFile == NULL);
|
||||
|
||||
if (pDiag->lYtop <= lFooterHeight + PS_BOTTOM_MARGIN && !bInFtrSpace) {
|
||||
vMove2NextPage(pDiag, FALSE);
|
||||
|
||||
// NOTE: SIST2: only output the first page
|
||||
vAddFooter(pDiag);
|
||||
vEndPageObject(pDiag->pOutFile);
|
||||
|
||||
iObjectNumberCurr++;
|
||||
vSetLocation(iObjectNumberCurr);
|
||||
vFillNextPageObject();
|
||||
vFPprintf(pDiag->pOutFile, "%d 0 obj\n", iObjectNumberCurr);
|
||||
vFPprintf(pDiag->pOutFile, "<<\n");
|
||||
vFPprintf(pDiag->pOutFile, "/Type /Page\n");
|
||||
vFPprintf(pDiag->pOutFile, "/Parent 3 0 R\n");
|
||||
vFPprintf(pDiag->pOutFile, "/Resources 17 0 R\n");
|
||||
vFPprintf(pDiag->pOutFile, "/Contents %d 0 R\n", iObjectNumberCurr + 1);
|
||||
vFPprintf(pDiag->pOutFile, ">>\n");
|
||||
vFPprintf(pDiag->pOutFile, "endobj\n");
|
||||
// ^^^
|
||||
|
||||
/* Repeat the last vertical movement on the new page */
|
||||
pDiag->lYtop -= lLastVerticalMovement;
|
||||
}
|
||||
@ -978,6 +996,7 @@ static void
|
||||
vPrintPDF(FILE *pFile, const char *szString, size_t tStringLength,
|
||||
USHORT usFontstyle)
|
||||
{
|
||||
|
||||
const UCHAR *aucBytes;
|
||||
double dMove;
|
||||
size_t tCount;
|
||||
|
||||
2629
src/prop8.c
2629
src/prop8.c
File diff suppressed because it is too large
Load Diff
@ -63,7 +63,7 @@ vAdd2PropModList(const UCHAR *aucPropMod)
|
||||
NO_DBG_DEC(tNextFree);
|
||||
|
||||
tLen = 2 + (size_t)usGetWord(0, aucPropMod);
|
||||
if (isOutOfBounds(tLen)) {
|
||||
if (isOutOfBounds(tLen, sizeof(short))) {
|
||||
return;
|
||||
}
|
||||
NO_DBG_HEX(tLen);
|
||||
|
||||
@ -2,8 +2,8 @@
|
||||
|
||||
static __thread ULONG buffer;
|
||||
|
||||
BOOL isOutOfBounds(ULONG offset) {
|
||||
return offset > buffer;
|
||||
BOOL isOutOfBounds(ULONG offset, size_t size) {
|
||||
return offset >= buffer - size;
|
||||
}
|
||||
|
||||
void setBufferSize(ULONG size) {
|
||||
|
||||
@ -220,7 +220,7 @@ vAnalyseSummaryInfo(const UCHAR *aucBuffer)
|
||||
ulOffset = ulGetLong(12 + tIndex * 8, aucBuffer);
|
||||
NO_DBG_DEC(tPropID);
|
||||
NO_DBG_HEX(ulOffset);
|
||||
if (isOutOfBounds(ulOffset)) {
|
||||
if (isOutOfBounds(ulOffset, sizeof(long))) {
|
||||
return FALSE;
|
||||
}
|
||||
tPropType = (size_t)ulGetLong(ulOffset, aucBuffer);
|
||||
@ -280,7 +280,7 @@ vAnalyseDocumentSummaryInfo(const UCHAR *aucBuffer)
|
||||
ulOffset = ulGetLong(12 + tIndex * 8, aucBuffer);
|
||||
NO_DBG_DEC(tPropID);
|
||||
NO_DBG_HEX(ulOffset);
|
||||
if (isOutOfBounds(ulOffset)) {
|
||||
if (isOutOfBounds(ulOffset, sizeof(long))) {
|
||||
return;
|
||||
}
|
||||
tPropType = (size_t)ulGetLong(ulOffset, aucBuffer);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user