[cairo-commit] src/cairo-pdf-surface.c src/cairo-ps-surface.c

[Vladimir Vukicevic]

 src/cairo-pdf-surface.c |   22 ++++++++++++++++------
 src/cairo-ps-surface.c  |    4 ++--
 2 files changed, 18 insertions(+), 8 deletions(-)

New commits:
commit a9b0e54d386811dc750b5e676a0dfd84c32f4625
Author: Vladimir Vukicevic <vladimir at pobox.com>
Date:   Wed Feb 6 13:52:33 2008 -0800

    Avoid buffer overflow in ps/pdf surface
    
    A few places weren't using _cairo_malloc_*; fixed.

diff --git a/src/cairo-pdf-surface.c b/src/cairo-pdf-surface.c
index 8050244..880c382 100644
--- a/src/cairo-pdf-surface.c
+++ b/src/cairo-pdf-surface.c
@@ -1249,9 +1249,16 @@ compress_dup (const void *data, unsigned long data_size,
 	      unsigned long *compressed_size)
 {
     void *compressed;
+    unsigned long additional_size;
 
     /* Bound calculation taken from zlib. */
-    *compressed_size = data_size + (data_size >> 12) + (data_size >> 14) + 11;
+    additional_size = (data_size >> 12) + (data_size >> 14) + 11;
+    if (INT32_MAX - data_size <= additional_size) {
+	_cairo_error_throw (CAIRO_STATUS_NO_MEMORY);
+	return NULL;
+    }
+
+    *compressed_size = data_size + additional_size;
     compressed = malloc (*compressed_size);
     if (compressed == NULL) {
 	_cairo_error_throw (CAIRO_STATUS_NO_MEMORY);
@@ -1295,11 +1302,14 @@ _cairo_pdf_surface_emit_smask (cairo_pdf_surface_t	*surface,
 
     stream_ret->id = 0;
 
-    if (image->format == CAIRO_FORMAT_A1)
-	alpha_size = (image->height * image->width + 7)/8;
-    else
+    if (image->format == CAIRO_FORMAT_A1) {
+	alpha_size = ((image->width+7) / 8) * image->height;
+	alpha = _cairo_malloc_ab ((image->width+7) / 8, image->height);
+    } else {
 	alpha_size = image->height * image->width;
-    alpha = malloc (alpha_size);
+	alpha = _cairo_malloc_ab (image->height, image->width);
+    }
+
     if (alpha == NULL) {
 	status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
 	goto CLEANUP;
@@ -1420,7 +1430,7 @@ _cairo_pdf_surface_emit_image (cairo_pdf_surface_t   *surface,
 	    image->format == CAIRO_FORMAT_A1);
 
     rgb_size = image->height * image->width * 3;
-    rgb = malloc (rgb_size);
+    rgb = _cairo_malloc_abc (image->width, image->height, 3);
     if (rgb == NULL) {
 	status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
 	goto CLEANUP;
diff --git a/src/cairo-ps-surface.c b/src/cairo-ps-surface.c
index 23f84d7..eab4856 100644
--- a/src/cairo-ps-surface.c
+++ b/src/cairo-ps-surface.c
@@ -2095,7 +2095,7 @@ _cairo_ps_surface_emit_image (cairo_ps_surface_t    *surface,
     }
 
     rgb_size = 3 * image->width * image->height;
-    rgb = malloc (rgb_size);
+    rgb = _cairo_malloc_abc (image->width, image->height, 3);
     if (rgb == NULL) {
 	status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
 	goto bail1;
@@ -2103,7 +2103,7 @@ _cairo_ps_surface_emit_image (cairo_ps_surface_t    *surface,
 
     if (use_mask) {
 	mask_size = ((image->width+7) / 8) * image->height;
-	mask = malloc (mask_size);
+	mask = _cairo_malloc_ab ((image->width+7) / 8, image->height);
 	if (mask == NULL) {
 	    status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
 	    goto bail2;