From 8c2dab4922b514045cbae8e71ba93aaf8c0fff48 Mon Sep 17 00:00:00 2001 From: giraffedata Date: Fri, 19 Jun 2015 03:02:42 +0000 Subject: Release 10.70.07 git-svn-id: http://svn.code.sf.net/p/netpbm/code/advanced@2557 9d0c8265-081b-0410-96cb-a4ca84ce46f8 --- converter/pbm/escp2topbm.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'converter/pbm/escp2topbm.c') diff --git a/converter/pbm/escp2topbm.c b/converter/pbm/escp2topbm.c index 049ed23c..28296da9 100644 --- a/converter/pbm/escp2topbm.c +++ b/converter/pbm/escp2topbm.c @@ -48,6 +48,8 @@ dec_epson_rle(unsigned const int k, } dpos += i; } + if(dpos > k) + pm_error("Corrupt compressed block"); return pos; /* return number of treated input bytes */ } @@ -96,6 +98,7 @@ main(int argc, /* filter out raster data */ height = 0; /* initial value */ + width = 0; /* initial value */ pos = 0; /* initial value */ opos = 0; /* initial value */ @@ -104,9 +107,16 @@ main(int argc, if (input[pos] == '\x1b' && input[pos+1] == '.') { unsigned int const k = input[pos+5] * ((input[pos+7] * 256 + input[pos+6] + 7) / 8); + unsigned int const margin = 256; + if(input[pos+5] == 0) + pm_error("Abnormal height value in escape sequence"); height += input[pos+5]; - width = input[pos+7] * 256 + input[pos+6]; - REALLOCARRAY(output, opos + k); + if(width == 0) /* initialize */ + width = input[pos+7] * 256 + input[pos+6]; + else if(width != input[pos+7] * 256 + input[pos+6]) + pm_error("Abnormal width value in escape sequence"); + + REALLOCARRAY(output, opos + k + margin); if (output == NULL) pm_error("Cannot allocate memory"); -- cgit 1.4.1