texlive/texlive-CVE-2010-0739,1440-integer-overflows.patch
2010-05-10 05:09:30 +00:00

30 lines
1.2 KiB
Diff

diff -up texlive-2007/texk/dvipsk/dospecial.c.CVE-2010-0739,1440 texlive-2007/texk/dvipsk/dospecial.c
--- texlive-2007/texk/dvipsk/dospecial.c.CVE-2010-0739,1440 2006-12-07 23:39:19.000000000 +0100
+++ texlive-2007/texk/dvipsk/dospecial.c 2010-05-09 10:35:33.724632292 +0200
@@ -325,7 +325,11 @@ void predospecial P2C(integer, numbytes,
int j ;
static int omega_specials = 0;
- if (nextstring + numbytes > maxstring) {
+ if (numbytes < 0 || numbytes > maxstring - nextstring) {
+ if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2) {
+ error("! Integer overflow in predospecial");
+ exit(1);
+ }
p = nextstring = mymalloc(1000 + 2 * numbytes) ;
maxstring = nextstring + 2 * numbytes + 700 ;
}
@@ -903,7 +907,11 @@ float *bbdospecial P1C(int, nbytes)
char seen[NKEYS] ;
float valseen[NKEYS] ;
- if (nextstring + nbytes > maxstring) {
+ if (nbytes < 0 || nbytes > maxstring - nextstring) {
+ if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2) {
+ error("! Integer overflow in bbdospecial");
+ exit(1);
+ }
p = nextstring = mymalloc(1000 + 2 * nbytes) ;
maxstring = nextstring + 2 * nbytes + 700 ;
}