[poppler] Branch 'poppler-0.10' - poppler/CairoOutputDev.cc poppler/JBIG2Stream.cc poppler/JBIG2Stream.h splash/SplashBitmap.cc
Albert Astals Cid
aacid at kemper.freedesktop.org
Thu Apr 16 13:11:18 PDT 2009
poppler/CairoOutputDev.cc | 2
poppler/JBIG2Stream.cc | 447 ++++++++++++++++++++++++++++++++--------------
poppler/JBIG2Stream.h | 4
splash/SplashBitmap.cc | 2
4 files changed, 326 insertions(+), 129 deletions(-)
New commits:
commit 763bfd27a50a9f8176fe112823839549e4498a39
Author: Albert Astals Cid <aacid at kde.org>
Date: Thu Apr 16 22:07:15 2009 +0200
Fix problems that happen when parsing broken JBIG2 files
Fixes
CVE-2009-0799 xpdf OOB Read
CVE-2009-0800 xpdf Multiple Input Validation Flaws
CVE-2009-1179 xpdf Integer Overflow
CVE-2009-1180 xpdf Invalid free()
CVE-2009-1181 xpdf NULL dereference DoS
CVE-2009-1182 xpdf MMR Decoder Buffer Overflows
CVE-2009-1183 xpdf MMR Infinite Loop DoS
CVE-2009-1187 poppler CairoOutputDev integer overflow
CVE-2009-1188 poppler SplashBitmap integer overflow
Patch based on a patch by Derek Noonburg
Some files still hit the exit(1) in goo.c but at least none is really crashing
diff --git a/poppler/CairoOutputDev.cc b/poppler/CairoOutputDev.cc
index 07583b5..d4fb632 100644
--- a/poppler/CairoOutputDev.cc
+++ b/poppler/CairoOutputDev.cc
@@ -1605,7 +1605,7 @@ void CairoOutputDev::drawImage(GfxState *state, Object *ref, Stream *str,
cairo_matrix_t matrix;
int is_identity_transform;
- buffer = (unsigned char *)gmalloc (width * height * 4);
+ buffer = (unsigned char *)gmallocn (width, height * 4);
/* TODO: Do we want to cache these? */
imgStr = new ImageStream(str, width,
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 938927e..33cd427 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -438,12 +438,14 @@ void JBIG2HuffmanDecoder::buildTable(JBIG2HuffmanTable *table, Guint len) {
table[i] = table[len];
// assign prefixes
- i = 0;
- prefix = 0;
- table[i++].prefix = prefix++;
- for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
- prefix <<= table[i].prefixLen - table[i-1].prefixLen;
- table[i].prefix = prefix++;
+ if (table[0].rangeLen != jbig2HuffmanEOT) {
+ i = 0;
+ prefix = 0;
+ table[i++].prefix = prefix++;
+ for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
+ prefix <<= table[i].prefixLen - table[i-1].prefixLen;
+ table[i].prefix = prefix++;
+ }
}
}
@@ -507,7 +509,7 @@ int JBIG2MMRDecoder::get2DCode() {
}
if (p->bits < 0) {
error(str->getPos(), "Bad two dim code in JBIG2 MMR stream");
- return 0;
+ return EOF;
}
bufLen -= p->bits;
return p->n;
@@ -779,6 +781,8 @@ void JBIG2Bitmap::clearToOne() {
inline void JBIG2Bitmap::getPixelPtr(int x, int y, JBIG2BitmapPtr *ptr) {
if (y < 0 || y >= h || x >= w) {
ptr->p = NULL;
+ ptr->shift = 0; // make gcc happy
+ ptr->x = 0; // make gcc happy
} else if (x < 0) {
ptr->p = &data[y * line];
ptr->shift = 7;
@@ -823,6 +827,10 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y,
Guint src0, src1, src, dest, s1, s2, m1, m2, m3;
GBool oneByte;
+ // check for the pathological case where y = -2^31
+ if (y < -0x7fffffff) {
+ return;
+ }
if (y < 0) {
y0 = -y;
} else {
@@ -1325,6 +1333,13 @@ void JBIG2Stream::readSegments() {
// keep track of the start of the segment data
segDataPos = getPos();
+ // check for missing page information segment
+ if (!pageBitmap && ((segType >= 4 && segType <= 7) ||
+ (segType >= 20 && segType <= 43))) {
+ error(getPos(), "First JBIG2 segment associated with a page must be a page information segment");
+ goto syntaxError;
+ }
+
// read the segment data
switch (segType) {
case 0:
@@ -1479,6 +1494,8 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Guint length,
Guint i, j, k;
Guchar *p;
+ symWidths = NULL;
+
// symbol dictionary flags
if (!readUWord(&flags)) {
goto eofError;
@@ -1539,7 +1556,13 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Guint length,
// part of it
if ((seg = findSegment(refSegs[i]))) {
if (seg->getType() == jbig2SegSymbolDict) {
- numInputSyms += ((JBIG2SymbolDict *)seg)->getSize();
+ j = ((JBIG2SymbolDict *)seg)->getSize();
+ if (numInputSyms > UINT_MAX - j) {
+ error(getPos(), "Too many input symbols in JBIG2 symbol dictionary");
+ delete codeTables;
+ goto eofError;
+ }
+ numInputSyms += j;
} else if (seg->getType() == jbig2SegCodeTable) {
codeTables->append(seg);
}
@@ -1548,13 +1571,18 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Guint length,
return gFalse;
}
}
+ if (numInputSyms > UINT_MAX - numNewSyms) {
+ error(getPos(), "Too many input symbols in JBIG2 symbol dictionary");
+ delete codeTables;
+ goto eofError;
+ }
// compute symbol code length
- symCodeLen = 0;
- i = 1;
- while (i < numInputSyms + numNewSyms) {
+ symCodeLen = 1;
+ i = (numInputSyms + numNewSyms) >> 1;
+ while (i) {
++symCodeLen;
- i <<= 1;
+ i >>= 1;
}
// get the input symbol bitmaps
@@ -1585,6 +1613,9 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Guint length,
} else if (huffDH == 1) {
huffDHTable = huffTableE;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffDW == 0) {
@@ -1592,17 +1623,26 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Guint length,
} else if (huffDW == 1) {
huffDWTable = huffTableC;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffBMSize == 0) {
huffBMSizeTable = huffTableA;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffBMSizeTable =
((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffAggInst == 0) {
huffAggInstTable = huffTableA;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffAggInstTable =
((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
@@ -1635,7 +1675,6 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Guint length,
}
// allocate symbol widths storage
- symWidths = NULL;
if (huff && !refAgg) {
symWidths = (Guint *)gmallocn(numNewSyms, sizeof(Guint));
}
@@ -1677,6 +1716,10 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Guint length,
goto syntaxError;
}
symWidth += dw;
+ if (i >= numNewSyms) {
+ error(getPos(), "Too many symbols in JBIG2 symbol dictionary");
+ goto syntaxError;
+ }
// using a collective bitmap, so don't read a bitmap here
if (huff && !refAgg) {
@@ -1713,6 +1756,10 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Guint length,
arithDecoder->decodeInt(&refDX, iardxStats);
arithDecoder->decodeInt(&refDY, iardyStats);
}
+ if (symID >= numInputSyms + i) {
+ error(getPos(), "Invalid symbol ID in JBIG2 symbol dictionary");
+ goto syntaxError;
+ }
refBitmap = bitmaps[symID];
bitmaps[numInputSyms + i] =
readGenericRefinementRegion(symWidth, symHeight,
@@ -1779,6 +1826,13 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Guint length,
} else {
arithDecoder->decodeInt(&run, iaexStats);
}
+ if (i + run > numInputSyms + numNewSyms ||
+ (ex && j + run > numExSyms)) {
+ error(getPos(), "Too many exported symbols in JBIG2 symbol dictionary");
+ for ( ; j < numExSyms; ++j) symbolDict->setBitmap(j, NULL);
+ delete symbolDict;
+ goto syntaxError;
+ }
if (ex) {
for (cnt = 0; cnt < run; ++cnt) {
symbolDict->setBitmap(j++, bitmaps[i++]->copy());
@@ -1788,10 +1842,11 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Guint length,
}
ex = !ex;
}
- for ( ; j < numExSyms; ++j) {
- // this should never happen but happens on PDF we don't parse
- // correctly like bug #19702
- symbolDict->setBitmap(j, NULL);
+ if (j != numExSyms) {
+ error(getPos(), "Too few symbols in JBIG2 symbol dictionary");
+ for ( ; j < numExSyms; ++j) symbolDict->setBitmap(j, NULL);
+ delete symbolDict;
+ goto syntaxError;
}
for (i = 0; i < numNewSyms; ++i) {
@@ -1815,6 +1870,10 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Guint length,
return gTrue;
+ codeTableError:
+ error(getPos(), "Missing code table in JBIG2 symbol dictionary");
+ delete codeTables;
+
syntaxError:
for (i = 0; i < numNewSyms; ++i) {
if (bitmaps[numInputSyms + i]) {
@@ -1917,6 +1976,8 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBool imm,
}
} else {
error(getPos(), "Invalid segment reference in JBIG2 text region");
+ delete codeTables;
+ return;
}
}
symCodeLen = 0;
@@ -1951,6 +2012,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBool imm,
} else if (huffFS == 1) {
huffFSTable = huffTableG;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffFSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffDS == 0) {
@@ -1960,6 +2024,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBool imm,
} else if (huffDS == 2) {
huffDSTable = huffTableJ;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffDSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffDT == 0) {
@@ -1969,6 +2036,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBool imm,
} else if (huffDT == 2) {
huffDTTable = huffTableM;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffDTTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffRDW == 0) {
@@ -1976,6 +2046,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBool imm,
} else if (huffRDW == 1) {
huffRDWTable = huffTableO;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffRDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffRDH == 0) {
@@ -1983,6 +2056,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBool imm,
} else if (huffRDH == 1) {
huffRDHTable = huffTableO;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffRDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffRDX == 0) {
@@ -1990,6 +2066,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBool imm,
} else if (huffRDX == 1) {
huffRDXTable = huffTableO;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffRDXTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffRDY == 0) {
@@ -1997,11 +2076,17 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBool imm,
} else if (huffRDY == 1) {
huffRDYTable = huffTableO;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffRDYTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffRSize == 0) {
huffRSizeTable = huffTableA;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffRSizeTable =
((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
@@ -2098,8 +2183,15 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBool imm,
return;
+ codeTableError:
+ error(getPos(), "Missing code table in JBIG2 text region");
+ gfree(codeTables);
+ delete syms;
+ return;
+
eofError:
error(getPos(), "Unexpected EOF in JBIG2 stream");
+ return;
}
JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine,
@@ -2134,6 +2226,10 @@ JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine,
// allocate the bitmap
bitmap = new JBIG2Bitmap(0, w, h);
+ if (!bitmap->isOk()) {
+ delete bitmap;
+ return NULL;
+ }
if (defPixel) {
bitmap->clearToOne();
} else {
@@ -2226,7 +2322,7 @@ JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine,
decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdy, iardyStats);
}
- if (decodeSuccess)
+ if (decodeSuccess && syms[symID])
{
refDX = ((rdw >= 0) ? rdw : rdw - 1) / 2 + rdx;
refDY = ((rdh >= 0) ? rdh : rdh - 1) / 2 + rdy;
@@ -2577,7 +2673,9 @@ void JBIG2Stream::readGenericRegionSeg(Guint segNum, GBool imm,
// read the bitmap
bitmap = readGenericBitmap(mmr, w, h, templ, tpgdOn, gFalse,
- NULL, atx, aty, mmr ? 0 : length - 18);
+ NULL, atx, aty, mmr ? length - 18 : 0);
+ if (!bitmap)
+ return;
// combine the region bitmap into the page bitmap
if (imm) {
@@ -2599,6 +2697,43 @@ void JBIG2Stream::readGenericRegionSeg(Guint segNum, GBool imm,
error(getPos(), "Unexpected EOF in JBIG2 stream");
}
+inline void JBIG2Stream::mmrAddPixels(int a1, int blackPixels,
+ int *codingLine, int *a0i, int w) {
+ if (a1 > codingLine[*a0i]) {
+ if (a1 > w) {
+ error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1);
+ a1 = w;
+ }
+ if ((*a0i & 1) ^ blackPixels) {
+ ++*a0i;
+ }
+ codingLine[*a0i] = a1;
+ }
+}
+
+inline void JBIG2Stream::mmrAddPixelsNeg(int a1, int blackPixels,
+ int *codingLine, int *a0i, int w) {
+ if (a1 > codingLine[*a0i]) {
+ if (a1 > w) {
+ error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1);
+ a1 = w;
+ }
+ if ((*a0i & 1) ^ blackPixels) {
+ ++*a0i;
+ }
+ codingLine[*a0i] = a1;
+ } else if (a1 < codingLine[*a0i]) {
+ if (a1 < 0) {
+ error(getPos(), "Invalid JBIG2 MMR code");
+ a1 = 0;
+ }
+ while (*a0i > 0 && a1 <= codingLine[*a0i - 1]) {
+ --*a0i;
+ }
+ codingLine[*a0i] = a1;
+ }
+}
+
JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h,
int templ, GBool tpgdOn,
GBool useSkip, JBIG2Bitmap *skip,
@@ -2611,9 +2746,13 @@ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h,
JBIG2BitmapPtr atPtr0 = {0}, atPtr1 = {0}, atPtr2 = {0}, atPtr3 = {0};
int *refLine, *codingLine;
int code1, code2, code3;
- int x, y, a0, pix, i, refI, codingI;
+ int x, y, a0i, b1i, blackPixels, pix, i;
bitmap = new JBIG2Bitmap(0, w, h);
+ if (!bitmap->isOk()) {
+ delete bitmap;
+ return NULL;
+ }
bitmap->clearToZero();
//----- MMR decode
@@ -2621,9 +2760,18 @@ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h,
if (mmr) {
mmrDecoder->reset();
+ if (w > INT_MAX - 2) {
+ error(getPos(), "Bad width in JBIG2 generic bitmap");
+ // force a call to gmalloc(-1), which will throw an exception
+ w = -3;
+ }
+ // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = w
+ // ---> max codingLine size = w + 1
+ // refLine has one extra guard entry at the end
+ // ---> max refLine size = w + 2
+ codingLine = (int *)gmallocn(w + 1, sizeof(int));
refLine = (int *)gmallocn(w + 2, sizeof(int));
- codingLine = (int *)gmallocn(w + 2, sizeof(int));
- codingLine[0] = codingLine[1] = w;
+ codingLine[0] = w;
for (y = 0; y < h; ++y) {
@@ -2631,128 +2779,157 @@ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h,
for (i = 0; codingLine[i] < w; ++i) {
refLine[i] = codingLine[i];
}
- refLine[i] = refLine[i + 1] = w;
+ refLine[i++] = w;
+ refLine[i] = w;
// decode a line
- refI = 0; // b1 = refLine[refI]
- codingI = 0; // a1 = codingLine[codingI]
- a0 = 0;
- do {
+ codingLine[0] = 0;
+ a0i = 0;
+ b1i = 0;
+ blackPixels = 0;
+ // invariant:
+ // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1] <= w
+ // exception at left edge:
+ // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible
+ // exception at right edge:
+ // refLine[b1i] = refLine[b1i+1] = w is possible
+ while (codingLine[a0i] < w) {
code1 = mmrDecoder->get2DCode();
switch (code1) {
case twoDimPass:
- if (refLine[refI] < w) {
- a0 = refLine[refI + 1];
- refI += 2;
- }
- break;
+ mmrAddPixels(refLine[b1i + 1], blackPixels, codingLine, &a0i, w);
+ if (refLine[b1i + 1] < w) {
+ b1i += 2;
+ }
+ break;
case twoDimHoriz:
- if (codingI & 1) {
- code1 = 0;
- do {
- code1 += code3 = mmrDecoder->getBlackCode();
- } while (code3 >= 64);
- code2 = 0;
- do {
- code2 += code3 = mmrDecoder->getWhiteCode();
- } while (code3 >= 64);
- } else {
- code1 = 0;
- do {
- code1 += code3 = mmrDecoder->getWhiteCode();
- } while (code3 >= 64);
- code2 = 0;
- do {
- code2 += code3 = mmrDecoder->getBlackCode();
- } while (code3 >= 64);
- }
- if (code1 > 0 || code2 > 0) {
- a0 = codingLine[codingI++] = a0 + code1;
- a0 = codingLine[codingI++] = a0 + code2;
- while (refLine[refI] <= a0 && refLine[refI] < w) {
- refI += 2;
- }
- }
- break;
- case twoDimVert0:
- a0 = codingLine[codingI++] = refLine[refI];
- if (refLine[refI] < w) {
- ++refI;
- }
- break;
- case twoDimVertR1:
- a0 = codingLine[codingI++] = refLine[refI] + 1;
- if (refLine[refI] < w) {
- ++refI;
- while (refLine[refI] <= a0 && refLine[refI] < w) {
- refI += 2;
- }
- }
- break;
- case twoDimVertR2:
- a0 = codingLine[codingI++] = refLine[refI] + 2;
- if (refLine[refI] < w) {
- ++refI;
- while (refLine[refI] <= a0 && refLine[refI] < w) {
- refI += 2;
- }
- }
- break;
+ code1 = code2 = 0;
+ if (blackPixels) {
+ do {
+ code1 += code3 = mmrDecoder->getBlackCode();
+ } while (code3 >= 64);
+ do {
+ code2 += code3 = mmrDecoder->getWhiteCode();
+ } while (code3 >= 64);
+ } else {
+ do {
+ code1 += code3 = mmrDecoder->getWhiteCode();
+ } while (code3 >= 64);
+ do {
+ code2 += code3 = mmrDecoder->getBlackCode();
+ } while (code3 >= 64);
+ }
+ mmrAddPixels(codingLine[a0i] + code1, blackPixels,
+ codingLine, &a0i, w);
+ if (codingLine[a0i] < w) {
+ mmrAddPixels(codingLine[a0i] + code2, blackPixels ^ 1,
+ codingLine, &a0i, w);
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ break;
case twoDimVertR3:
- a0 = codingLine[codingI++] = refLine[refI] + 3;
- if (refLine[refI] < w) {
- ++refI;
- while (refLine[refI] <= a0 && refLine[refI] < w) {
- refI += 2;
- }
- }
- break;
- case twoDimVertL1:
- a0 = codingLine[codingI++] = refLine[refI] - 1;
- if (refI > 0) {
- --refI;
- } else {
- ++refI;
- }
- while (refLine[refI] <= a0 && refLine[refI] < w) {
- refI += 2;
- }
- break;
- case twoDimVertL2:
- a0 = codingLine[codingI++] = refLine[refI] - 2;
- if (refI > 0) {
- --refI;
- } else {
- ++refI;
- }
- while (refLine[refI] <= a0 && refLine[refI] < w) {
- refI += 2;
- }
- break;
+ mmrAddPixels(refLine[b1i] + 3, blackPixels, codingLine, &a0i, w);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < w) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVertR2:
+ mmrAddPixels(refLine[b1i] + 2, blackPixels, codingLine, &a0i, w);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < w) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVertR1:
+ mmrAddPixels(refLine[b1i] + 1, blackPixels, codingLine, &a0i, w);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < w) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVert0:
+ mmrAddPixels(refLine[b1i], blackPixels, codingLine, &a0i, w);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < w) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ }
+ break;
case twoDimVertL3:
- a0 = codingLine[codingI++] = refLine[refI] - 3;
- if (refI > 0) {
- --refI;
- } else {
- ++refI;
- }
- while (refLine[refI] <= a0 && refLine[refI] < w) {
- refI += 2;
- }
- break;
+ mmrAddPixelsNeg(refLine[b1i] - 3, blackPixels, codingLine, &a0i, w);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < w) {
+ if (b1i > 0) {
+ --b1i;
+ } else {
+ ++b1i;
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVertL2:
+ mmrAddPixelsNeg(refLine[b1i] - 2, blackPixels, codingLine, &a0i, w);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < w) {
+ if (b1i > 0) {
+ --b1i;
+ } else {
+ ++b1i;
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVertL1:
+ mmrAddPixelsNeg(refLine[b1i] - 1, blackPixels, codingLine, &a0i, w);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < w) {
+ if (b1i > 0) {
+ --b1i;
+ } else {
+ ++b1i;
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ }
+ break;
+ case EOF:
+ mmrAddPixels(w, 0, codingLine, &a0i, w);
+ break;
default:
error(getPos(), "Illegal code in JBIG2 MMR bitmap data");
+ mmrAddPixels(w, 0, codingLine, &a0i, w);
break;
}
- } while (a0 < w);
- codingLine[codingI++] = w;
+ }
// convert the run lengths to a bitmap line
i = 0;
- while (codingLine[i] < w) {
+ while (1) {
for (x = codingLine[i]; x < codingLine[i+1]; ++x) {
bitmap->setPixel(x, y);
}
+ if (codingLine[i+1] >= w || codingLine[i+2] >= w) {
+ break;
+ }
i += 2;
}
}
@@ -2800,7 +2977,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h,
ltp = !ltp;
}
if (ltp) {
- bitmap->duplicateRow(y, y-1);
+ if (y > 0) {
+ bitmap->duplicateRow(y, y-1);
+ }
continue;
}
}
@@ -3111,6 +3290,10 @@ JBIG2Bitmap *JBIG2Stream::readGenericRefinementRegion(int w, int h,
tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2);
tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
+ } else {
+ tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy
+ tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0;
+ tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0;
}
for (x = 0; x < w; ++x) {
@@ -3182,6 +3365,10 @@ JBIG2Bitmap *JBIG2Stream::readGenericRefinementRegion(int w, int h,
tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2);
tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
+ } else {
+ tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy
+ tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0;
+ tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0;
}
for (x = 0; x < w; ++x) {
@@ -3247,6 +3434,12 @@ void JBIG2Stream::readPageInfoSeg(Guint length) {
}
pageBitmap = new JBIG2Bitmap(0, pageW, curPageH);
+ if (!pageBitmap->isOk()) {
+ delete pageBitmap;
+ pageBitmap = NULL;
+ return;
+ }
+
// default pixel value
if (pageDefPixel) {
pageBitmap->clearToOne();
diff --git a/poppler/JBIG2Stream.h b/poppler/JBIG2Stream.h
index 7a73938..ca1fee7 100644
--- a/poppler/JBIG2Stream.h
+++ b/poppler/JBIG2Stream.h
@@ -76,6 +76,10 @@ private:
Guint *refSegs, Guint nRefSegs);
void readGenericRegionSeg(Guint segNum, GBool imm,
GBool lossless, Guint length);
+ void mmrAddPixels(int a1, int blackPixels,
+ int *codingLine, int *a0i, int w);
+ void mmrAddPixelsNeg(int a1, int blackPixels,
+ int *codingLine, int *a0i, int w);
JBIG2Bitmap *readGenericBitmap(GBool mmr, int w, int h,
int templ, GBool tpgdOn,
GBool useSkip, JBIG2Bitmap *skip,
diff --git a/splash/SplashBitmap.cc b/splash/SplashBitmap.cc
index 97d622c..7004c19 100644
--- a/splash/SplashBitmap.cc
+++ b/splash/SplashBitmap.cc
@@ -62,7 +62,7 @@ SplashBitmap::SplashBitmap(int widthA, int heightA, int rowPad,
}
rowSize += rowPad - 1;
rowSize -= rowSize % rowPad;
- data = (SplashColorPtr)gmalloc(rowSize * height);
+ data = (SplashColorPtr)gmallocn(rowSize, height);
if (!topDown) {
data += (height - 1) * rowSize;
rowSize = -rowSize;
More information about the poppler
mailing list