From a89f9abbc6bf0e0836f50324ea94d340c61acf95 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor@ghostscript.com>
Date: Thu, 3 Feb 2011 09:04:53 +0000
Subject: Use calloc to allocate pixmap data. Limit size of PDF images to 65k x
 65k.

---
 fitz/res_pixmap.c | 2 +-
 mupdf/pdf_image.c | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/fitz/res_pixmap.c b/fitz/res_pixmap.c
index 86828c0c..88e10230 100644
--- a/fitz/res_pixmap.c
+++ b/fitz/res_pixmap.c
@@ -28,7 +28,7 @@ fz_newpixmapwithdata(fz_colorspace *colorspace, int x, int y, int w, int h, unsi
 	}
 	else
 	{
-		pix->samples = fz_malloc(pix->w * pix->h * pix->n);
+		pix->samples = fz_calloc(pix->h, pix->w * pix->n);
 		pix->freesamples = 1;
 	}
 
diff --git a/mupdf/pdf_image.c b/mupdf/pdf_image.c
index 578ba4a1..b5c7ec68 100644
--- a/mupdf/pdf_image.c
+++ b/mupdf/pdf_image.c
@@ -66,6 +66,10 @@ pdf_loadimageimp(fz_pixmap **imgp, pdf_xref *xref, fz_obj *rdb, fz_obj *dict, fz
 		return fz_throw("image height is zero");
 	if (bpc == 0)
 		return fz_throw("image depth is zero");
+	if (w > (1 << 16))
+		return fz_throw("image is too wide");
+	if (h > (1 << 16))
+		return fz_throw("image is too high");
 
 	obj = fz_dictgetsa(dict, "ColorSpace", "CS");
 	if (obj && !imagemask && !forcemask)
-- 
cgit v1.2.3