[poppler] poppler/poppler: CairoOutputDev.cc, 1.18.2.1,
1.18.2.2 CairoOutputDev.h, 1.7, 1.7.2.1 JPXStream.cc, 1.1.1.1,
1.1.1.1.2.1 Makefile.am, 1.9.2.1, 1.9.2.2 SplashOutputDev.cc,
1.1.1.1, 1.1.1.1.2.1 Stream.cc, 1.3, 1.3.2.1 Stream.h, 1.3,
1.3.2.1 TextOutputDev.cc, 1.6.2.4, 1.6.2.5
Kristian Høgsberg
krh at freedesktop.org
Mon Dec 12 14:43:29 PST 2005
Update of /cvs/poppler/poppler/poppler
In directory gabe:/tmp/cvs-serv26067/poppler
Modified Files:
Tag: POPPLER_0_4_X
CairoOutputDev.cc CairoOutputDev.h JPXStream.cc Makefile.am
SplashOutputDev.cc Stream.cc Stream.h TextOutputDev.cc
Log Message:
2005-12-12 Kristian Høgsberg <krh at redhat.com>
* poppler/TextOutputDev.cc:
* qt/poppler-qt.h: GCC-4.1 fixes (#5031).
* qt/Makefile.am (noinst_PROGRAMS): Only build qt test program if
splash is enabled.
* poppler/CairoOutputDev.cc: Remove unused grid snapping code,
sidestepping #4507.
* glib/poppler-document.h: Fix glib-mkenums warning (#4600).
* poppler/Makefile.am (libpoppler_la_LIBADD): Add $(FREETYPE_LIBS)
(#4514).
* poppler/TextOutputDev.cc (TextWord::visitSelection,
TextWord::visitSelection): Fix selection crash (#4402).
* poppler/CairoOutputDev.h: Fix wrong cairo-ft.h include (#4413).
* poppler/JPXStream.cc:
* poppler/Stream.cc:
* poppler/Stream.h: CVE-2005-3191 security fix.
* fofi/FoFiTrueType.cc:
* poppler/SplashOutputDev.cc: CAN-2005-2097 security fix.
Index: CairoOutputDev.cc
===================================================================
RCS file: /cvs/poppler/poppler/poppler/CairoOutputDev.cc,v
retrieving revision 1.18.2.1
retrieving revision 1.18.2.2
diff -u -d -r1.18.2.1 -r1.18.2.2
--- CairoOutputDev.cc 5 Aug 2005 22:31:14 -0000 1.18.2.1
+++ CairoOutputDev.cc 12 Dec 2005 22:43:27 -0000 1.18.2.2
@@ -246,8 +246,7 @@
cairo_set_font_matrix (cairo, &matrix);
}
-void CairoOutputDev::doPath(GfxState *state, GfxPath *path,
- GBool snapToGrid) {
+void CairoOutputDev::doPath(GfxState *state, GfxPath *path) {
GfxSubpath *subpath;
double x1, y1, x2, y2, x3, y3;
int i, j;
@@ -256,9 +255,6 @@
subpath = path->getSubpath(i);
if (subpath->getNumPoints() > 0) {
state->transform(subpath->getX(0), subpath->getY(0), &x1, &y1);
- if (snapToGrid) {
- x1 = round (x1); y1 = round (y1);
- }
cairo_move_to (cairo, x1, y1);
LOG (printf ("move_to %f, %f\n", x1, y1));
j = 1;
@@ -267,11 +263,6 @@
state->transform(subpath->getX(j), subpath->getY(j), &x1, &y1);
state->transform(subpath->getX(j+1), subpath->getY(j+1), &x2, &y2);
state->transform(subpath->getX(j+2), subpath->getY(j+2), &x3, &y3);
- if (snapToGrid) {
- x1 = round (x1); y1 = round (y1);
- x2 = round (x2); y2 = round (y2);
- x3 = round (x3); y3 = round (y3);
- }
cairo_curve_to (cairo,
x1, y1,
x2, y2,
@@ -280,9 +271,6 @@
j += 3;
} else {
state->transform(subpath->getX(j), subpath->getY(j), &x1, &y1);
- if (snapToGrid) {
- x1 = round (x1); y1 = round (y1);
- }
cairo_line_to (cairo, x1, y1);
LOG(printf ("line_to %f, %f\n", x1, y1));
++j;
@@ -297,7 +285,7 @@
}
void CairoOutputDev::stroke(GfxState *state) {
- doPath (state, state->getPath(), gFalse);
+ doPath (state, state->getPath());
cairo_set_source_rgba (cairo,
stroke_color.r, stroke_color.g, stroke_color.b,
stroke_opacity);
@@ -306,7 +294,7 @@
}
void CairoOutputDev::fill(GfxState *state) {
- doPath (state, state->getPath(), gFalse);
+ doPath (state, state->getPath());
cairo_set_fill_rule (cairo, CAIRO_FILL_RULE_WINDING);
cairo_set_source_rgba (cairo,
fill_color.r, fill_color.g, fill_color.b,
@@ -316,7 +304,7 @@
}
void CairoOutputDev::eoFill(GfxState *state) {
- doPath (state, state->getPath(), gFalse);
+ doPath (state, state->getPath());
cairo_set_fill_rule (cairo, CAIRO_FILL_RULE_EVEN_ODD);
cairo_set_source_rgb (cairo,
fill_color.r, fill_color.g, fill_color.b);
@@ -325,14 +313,14 @@
}
void CairoOutputDev::clip(GfxState *state) {
- doPath (state, state->getPath(), gFalse);
+ doPath (state, state->getPath());
cairo_set_fill_rule (cairo, CAIRO_FILL_RULE_WINDING);
cairo_clip (cairo);
LOG (printf ("clip\n"));
}
void CairoOutputDev::eoClip(GfxState *state) {
- doPath (state, state->getPath(), gFalse);
+ doPath (state, state->getPath());
cairo_set_fill_rule (cairo, CAIRO_FILL_RULE_EVEN_ODD);
cairo_clip (cairo);
LOG (printf ("clip-eo\n"));
Index: CairoOutputDev.h
===================================================================
RCS file: /cvs/poppler/poppler/poppler/CairoOutputDev.h,v
retrieving revision 1.7
retrieving revision 1.7.2.1
diff -u -d -r1.7 -r1.7.2.1
--- CairoOutputDev.h 29 Jun 2005 21:24:57 -0000 1.7
+++ CairoOutputDev.h 12 Dec 2005 22:43:27 -0000 1.7.2.1
@@ -15,7 +15,7 @@
#endif
#include "goo/gtypes.h"
-#include <cairo/cairo-ft.h>
+#include <cairo-ft.h>
#include "OutputDev.h"
#include "GfxState.h"
@@ -133,7 +133,7 @@
void setSurface (cairo_surface_t *surface);
protected:
- void doPath(GfxState *state, GfxPath *path, GBool snapToGrid);
+ void doPath(GfxState *state, GfxPath *path);
GfxRGB fill_color;
GfxRGB stroke_color;
Index: JPXStream.cc
===================================================================
RCS file: /cvs/poppler/poppler/poppler/JPXStream.cc,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -d -r1.1.1.1 -r1.1.1.1.2.1
--- JPXStream.cc 3 Mar 2005 19:46:03 -0000 1.1.1.1
+++ JPXStream.cc 12 Dec 2005 22:43:27 -0000 1.1.1.1.2.1
@@ -7,6 +7,7 @@
//========================================================================
#include <config.h>
+#include <limits.h>
#ifdef USE_GCC_PRAGMAS
#pragma implementation
@@ -666,7 +667,7 @@
int segType;
GBool haveSIZ, haveCOD, haveQCD, haveSOT;
Guint precinctSize, style;
- Guint segLen, capabilities, comp, i, j, r;
+ Guint segLen, capabilities, nTiles, comp, i, j, r;
//----- main header
haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
@@ -701,8 +702,18 @@
/ img.xTileSize;
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
/ img.yTileSize;
- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
- sizeof(JPXTile));
+ // check for overflow before allocating memory
+ if (img.nXTiles <= 0 || img.nYTiles <= 0 ||
+ img.nXTiles >= INT_MAX/img.nYTiles) {
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
+ return gFalse;
+ }
+ nTiles = img.nXTiles * img.nYTiles;
+ if (nTiles >= INT_MAX/sizeof(JPXTile)) {
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
+ return gFalse;
+ }
+ img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
sizeof(JPXTileComp));
Index: Makefile.am
===================================================================
RCS file: /cvs/poppler/poppler/poppler/Makefile.am,v
retrieving revision 1.9.2.1
retrieving revision 1.9.2.2
diff -u -d -r1.9.2.1 -r1.9.2.2
--- Makefile.am 21 Aug 2005 23:12:39 -0000 1.9.2.1
+++ Makefile.am 12 Dec 2005 22:43:27 -0000 1.9.2.2
@@ -89,7 +89,8 @@
$(cairo_libs) \
$(arthur_libs) \
$(libjpeg_libs) \
- $(zlib_libs)
+ $(zlib_libs) \
+ $(FREETYPE_LIBS)
poppler_includedir = $(includedir)/poppler
poppler_include_HEADERS = \
Index: SplashOutputDev.cc
===================================================================
RCS file: /cvs/poppler/poppler/poppler/SplashOutputDev.cc,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -d -r1.1.1.1 -r1.1.1.1.2.1
--- SplashOutputDev.cc 3 Mar 2005 19:46:01 -0000 1.1.1.1
+++ SplashOutputDev.cc 12 Dec 2005 22:43:27 -0000 1.1.1.1.2.1
@@ -623,16 +623,19 @@
}
break;
case fontTrueType:
- if (!(ff = FoFiTrueType::load(fileName->getCString()))) {
- goto err2;
+ if ((ff = FoFiTrueType::load(fileName->getCString()))) {
+ codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
+ n = 256;
+ delete ff;
+ } else {
+ codeToGID = NULL;
+ n = 0;
}
- codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
- delete ff;
if (!(fontFile = fontEngine->loadTrueTypeFont(
id,
fileName->getCString(),
fileName == tmpFileName,
- codeToGID, 256))) {
+ codeToGID, n))) {
error(-1, "Couldn't create a font for '%s'",
gfxFont->getName() ? gfxFont->getName()->getCString()
: "(unnamed)");
Index: Stream.cc
===================================================================
RCS file: /cvs/poppler/poppler/poppler/Stream.cc,v
retrieving revision 1.3
retrieving revision 1.3.2.1
diff -u -d -r1.3 -r1.3.2.1
--- Stream.cc 27 Apr 2005 20:56:18 -0000 1.3
+++ Stream.cc 12 Dec 2005 22:43:27 -0000 1.3.2.1
@@ -15,6 +15,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
+#include <limits.h>
#ifndef WIN32
#include <unistd.h>
#endif
@@ -420,13 +421,28 @@
width = widthA;
nComps = nCompsA;
nBits = nBitsA;
+ predLine = NULL;
+ ok = gFalse;
+ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+ nComps >= INT_MAX/nBits ||
+ width >= INT_MAX/nComps/nBits) {
+ return;
+ }
nVals = width * nComps;
+ if (nVals + 7 <= 0) {
+ return;
+ }
pixBytes = (nComps * nBits + 7) >> 3;
rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+ if (rowBytes < 0) {
+ return;
+ }
predLine = (Guchar *)gmalloc(rowBytes);
memset(predLine, 0, rowBytes);
predIdx = rowBytes;
+
+ ok = gTrue;
}
StreamPredictor::~StreamPredictor() {
@@ -1020,6 +1036,10 @@
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
+ if (!pred->isOk()) {
+ delete pred;
+ pred = NULL;
+ }
} else {
pred = NULL;
}
@@ -2907,6 +2927,10 @@
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream", prec);
+ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
@@ -2933,6 +2957,10 @@
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream", prec);
+ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
@@ -2955,6 +2983,10 @@
length = read16() - 2;
scanInfo.numComps = str->getChar();
+ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream");
+ return gFalse;
+ }
--length;
if (length != 2 * scanInfo.numComps + 3) {
error(getPos(), "Bad DCT scan info block");
@@ -3268,6 +3300,10 @@
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
+ if (!pred->isOk()) {
+ delete pred;
+ pred = NULL;
+ }
} else {
pred = NULL;
}
Index: Stream.h
===================================================================
RCS file: /cvs/poppler/poppler/poppler/Stream.h,v
retrieving revision 1.3
retrieving revision 1.3.2.1
diff -u -d -r1.3 -r1.3.2.1
--- Stream.h 27 Apr 2005 20:56:18 -0000 1.3
+++ Stream.h 12 Dec 2005 22:43:27 -0000 1.3.2.1
@@ -231,6 +231,8 @@
~StreamPredictor();
+ GBool isOk() { return ok; }
+
int lookChar();
int getChar();
@@ -248,6 +250,7 @@
int rowBytes; // bytes per line
Guchar *predLine; // line buffer
int predIdx; // current index in predLine
+ GBool ok;
};
//------------------------------------------------------------------------
Index: TextOutputDev.cc
===================================================================
RCS file: /cvs/poppler/poppler/poppler/TextOutputDev.cc,v
retrieving revision 1.6.2.4
retrieving revision 1.6.2.5
diff -u -d -r1.6.2.4 -r1.6.2.5
--- TextOutputDev.cc 24 Aug 2005 18:17:51 -0000 1.6.2.4
+++ TextOutputDev.cc 12 Dec 2005 22:43:27 -0000 1.6.2.5
@@ -3025,7 +3025,7 @@
virtual void visitWord (TextWord *word, int begin, int end,
PDFRectangle *selection) { };
- GooString *TextSelectionDumper::getText(void);
+ GooString *getText(void);
private:
TextLineFrag *frags;
@@ -3351,8 +3351,8 @@
(selection->x2 < p->xMax && selection->y2 < p->yMax))
if (begin == NULL)
begin = p;
- if ((selection->x1 > p->xMin && selection->y1 > p->yMin) ||
- (selection->x2 > p->xMin && selection->y2 > p->yMin))
+ if ((selection->x1 > p->xMin && selection->y1 > p->yMin ||
+ selection->x2 > p->xMin && selection->y2 > p->yMin) && (begin != NULL))
end = p->next;
}
@@ -3419,8 +3419,8 @@
stop_y = selection->y1;
}
- if (selection->x1 > p->xMin && selection->y1 > p->yMin ||
- selection->x2 > p->xMin && selection->y2 > p->yMin)
+ if ((selection->x1 > p->xMin && selection->y1 > p->yMin ||
+ selection->x2 > p->xMin && selection->y2 > p->yMin) && (begin != NULL))
end = p->next;
}
More information about the poppler
mailing list