30 lines
1.2 KiB
Diff
30 lines
1.2 KiB
Diff
diff -up texlive-2007/texk/dvipsk/dospecial.c.CVE-2010-0739,1440 texlive-2007/texk/dvipsk/dospecial.c
|
|
--- texlive-2007/texk/dvipsk/dospecial.c.CVE-2010-0739,1440 2006-12-07 23:39:19.000000000 +0100
|
|
+++ texlive-2007/texk/dvipsk/dospecial.c 2010-05-09 10:35:33.724632292 +0200
|
|
@@ -325,7 +325,11 @@ void predospecial P2C(integer, numbytes,
|
|
int j ;
|
|
static int omega_specials = 0;
|
|
|
|
- if (nextstring + numbytes > maxstring) {
|
|
+ if (numbytes < 0 || numbytes > maxstring - nextstring) {
|
|
+ if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2) {
|
|
+ error("! Integer overflow in predospecial");
|
|
+ exit(1);
|
|
+ }
|
|
p = nextstring = mymalloc(1000 + 2 * numbytes) ;
|
|
maxstring = nextstring + 2 * numbytes + 700 ;
|
|
}
|
|
@@ -903,7 +907,11 @@ float *bbdospecial P1C(int, nbytes)
|
|
char seen[NKEYS] ;
|
|
float valseen[NKEYS] ;
|
|
|
|
- if (nextstring + nbytes > maxstring) {
|
|
+ if (nbytes < 0 || nbytes > maxstring - nextstring) {
|
|
+ if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2) {
|
|
+ error("! Integer overflow in bbdospecial");
|
|
+ exit(1);
|
|
+ }
|
|
p = nextstring = mymalloc(1000 + 2 * nbytes) ;
|
|
maxstring = nextstring + 2 * nbytes + 700 ;
|
|
}
|