[poppler] 13 commits - fofi/FoFiType1.cc poppler/Decrypt.cc poppler/Dict.h poppler/Form.cc poppler/Function.cc poppler/Gfx.cc poppler/Stream.cc

Albert Astals Cid aacid at kemper.freedesktop.org
Tue Sep 21 11:20:23 PDT 2010


 fofi/FoFiType1.cc   |    5 +++--
 poppler/Decrypt.cc  |    4 +++-
 poppler/Dict.h      |    3 +++
 poppler/Form.cc     |   32 +++++++++++++++++++++++++++-----
 poppler/Function.cc |    7 ++++++-
 poppler/Gfx.cc      |   39 +++++++++++++++++++++++++++++++++------
 poppler/Stream.cc   |    1 +
 7 files changed, 76 insertions(+), 15 deletions(-)

New commits:
commit d2578bd66129466b2dd114b6407c147598e09d2b
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Sep 21 19:19:27 2010 +0100

    Avoid loops in Form::fieldLookup
    
    Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group

diff --git a/poppler/Dict.h b/poppler/Dict.h
index bb747d5..a76bc89 100644
--- a/poppler/Dict.h
+++ b/poppler/Dict.h
@@ -16,6 +16,7 @@
 // Copyright (C) 2005 Kristian Høgsberg <krh at redhat.com>
 // Copyright (C) 2006 Krzysztof Kowalczyk <kkowalczyk at gmail.com>
 // Copyright (C) 2007-2008 Julien Rebetez <julienr at svn.gnome.org>
+// Copyright (C) 2010 Albert Astals Cid <aacid at kde.org>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -83,6 +84,8 @@ public:
   // trailer dictionary, which is read before the xref table is
   // parsed.
   void setXRef(XRef *xrefA) { xref = xrefA; }
+  
+  XRef *getXRef() { return xref; }
 
 private:
 
diff --git a/poppler/Form.cc b/poppler/Form.cc
index 21ca672..ae9c509 100644
--- a/poppler/Form.cc
+++ b/poppler/Form.cc
@@ -22,6 +22,7 @@
 #pragma implementation
 #endif
 
+#include <set>
 #include <stddef.h>
 #include <string.h>
 #include "goo/gmem.h"
@@ -1181,7 +1182,7 @@ Form::~Form() {
 }
 
 // Look up an inheritable field dictionary entry.
-Object *Form::fieldLookup(Dict *field, char *key, Object *obj) {
+static Object *fieldLookup(Dict *field, char *key, Object *obj, std::set<int> *usedParents) {
   Dict *dict;
   Object parent;
 
@@ -1190,8 +1191,23 @@ Object *Form::fieldLookup(Dict *field, char *key, Object *obj) {
     return obj;
   }
   obj->free();
-  if (dict->lookup("Parent", &parent)->isDict()) {
-    fieldLookup(parent.getDict(), key, obj);
+  dict->lookupNF("Parent", &parent);
+  if (parent.isRef()) {
+    const Ref ref = parent.getRef();
+    if (usedParents->find(ref.num) == usedParents->end()) {
+      usedParents->insert(ref.num);
+
+      Object obj2;
+      parent.fetch(dict->getXRef(), &obj2);
+      if (obj2.isDict()) {
+        fieldLookup(obj2.getDict(), key, obj, usedParents);
+      } else {
+        obj->initNull();
+      }
+      obj2.free();
+    }
+  } else if (parent.isDict()) {
+    fieldLookup(parent.getDict(), key, obj, usedParents);
   } else {
     obj->initNull();
   }
@@ -1199,6 +1215,11 @@ Object *Form::fieldLookup(Dict *field, char *key, Object *obj) {
   return obj;
 }
 
+Object *Form::fieldLookup(Dict *field, char *key, Object *obj) {
+  std::set<int> usedParents;
+  return ::fieldLookup(field, key, obj, &usedParents);
+}
+
 FormField *Form::createFieldFromDict (Object* obj, XRef *xrefA, const Ref& pref)
 {
     Object obj2;
commit 2fe825deac055be82b220d0127169cb3d61387a8
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Sep 21 19:15:25 2010 +0100

    Make sure obj1 is a num before reading it
    
    Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group

diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 7b85d79..76dae02 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -4235,8 +4235,14 @@ void Gfx::doForm(Object *str) {
   }
   for (i = 0; i < 4; ++i) {
     bboxObj.arrayGet(i, &obj1);
-    bbox[i] = obj1.getNum();
-    obj1.free();
+    if (likely(obj1.isNum())) {
+      bbox[i] = obj1.getNum();
+      obj1.free();
+    } else {
+      obj1.free();
+      error(getPos(), "Bad form bounding box value");
+      return;
+    }
   }
   bboxObj.free();
 
@@ -4666,8 +4672,14 @@ void Gfx::drawAnnot(Object *str, AnnotBorder *border, AnnotColor *aColor,
     }
     for (i = 0; i < 4; ++i) {
       bboxObj.arrayGet(i, &obj1);
-      bbox[i] = obj1.getNum();
-      obj1.free();
+      if (likely(obj1.isNum())) {
+        bbox[i] = obj1.getNum();
+        obj1.free();
+      } else {
+        obj1.free();
+        error(getPos(), "Bad form bounding box value");
+        return;
+      }
     }
     bboxObj.free();
 
commit 473de6f88a055bb03470b4af5fa584be8cb5fda4
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Sep 21 19:11:42 2010 +0100

    Fix memory leak if obj2 is not a dict
    
    Found thanks to PDF provided by Joel Voss of Leviathan Security Group

diff --git a/poppler/Form.cc b/poppler/Form.cc
index 4df8a7d..21ca672 100644
--- a/poppler/Form.cc
+++ b/poppler/Form.cc
@@ -715,13 +715,14 @@ FormField::FormField(XRef* xrefA, Object *aobj, const Ref& aref, FormFieldType t
     // Load children
     for(int i=0; i<length; i++) { 
       Object obj2,obj3;
-      Object childRef;
       array->get(i, &obj2);
-      array->getNF(i, &childRef);
       if (!obj2.isDict ()) {
 	      error (-1, "Reference to an invalid or non existant object");
+	      obj2.free();
 	      continue;
       }
+      Object childRef;
+      array->getNF(i, &childRef);
       //field child
       if (dict->lookup ("FT", &obj3)->isName()) {
         // If I'm not a generic container field and my children
commit 9706e28657ff7ea52aa69d9efb3f91d0cfaee70b
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Sep 21 19:09:37 2010 +0100

    Fix crash when idx is out of range
    
    Found thanks to PDF provided by Joel Voss of Leviathan Security Group

diff --git a/poppler/Function.cc b/poppler/Function.cc
index ea35b7b..e7383fd 100644
--- a/poppler/Function.cc
+++ b/poppler/Function.cc
@@ -425,7 +425,7 @@ void SampledFunction::transform(double *in, double *out) {
       if (likely(idx >= 0 && idx < nSamples)) {
         sBuf[j] = samples[idx];
       } else {
-        sBuf[j] = 0;
+        sBuf[j] = 0; // TODO Investigate if this is what Adobe does
       }
     }
 
commit 26a5817ffec9f05ac63db6c5cd5b1f0871d271c7
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Sep 21 19:08:54 2010 +0100

    Fix crash when idx is out of range
    
    Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group

diff --git a/poppler/Function.cc b/poppler/Function.cc
index b28ee3d..ea35b7b 100644
--- a/poppler/Function.cc
+++ b/poppler/Function.cc
@@ -422,7 +422,11 @@ void SampledFunction::transform(double *in, double *out) {
       for (k = 0, t = j; k < m; ++k, t >>= 1) {
 	idx += idxMul[k] * (e[k][t & 1]);
       }
-      sBuf[j] = samples[idx];
+      if (likely(idx >= 0 && idx < nSamples)) {
+        sBuf[j] = samples[idx];
+      } else {
+        sBuf[j] = 0;
+      }
     }
 
     // do m sets of interpolations
commit dfdf3602bde47d1be7788a44722c258bfa0c6d6e
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Sep 21 19:07:12 2010 +0100

    Give a value to color.c[i]
    
    Might not be the better solution but it's better than having a random
    value there
    
    Found thanks to PDF provided by Joel Voss of Leviathan Security Group

diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 919086e..7b85d79 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -1533,6 +1533,8 @@ void Gfx::opSetFillColorN(Object args[], int numArgs) {
       for (i = 0; i < numArgs - 1 && i < gfxColorMaxComps; ++i) {
 	if (args[i].isNum()) {
 	  color.c[i] = dblToCol(args[i].getNum());
+	} else {
+	  color.c[i] = 0; // TODO Investigate if this is what Adobe does
 	}
       }
       state->setFillColor(&color);
@@ -1552,6 +1554,8 @@ void Gfx::opSetFillColorN(Object args[], int numArgs) {
     for (i = 0; i < numArgs && i < gfxColorMaxComps; ++i) {
       if (args[i].isNum()) {
 	color.c[i] = dblToCol(args[i].getNum());
+      } else {
+        color.c[i] = 0; // TODO Investigate if this is what Adobe does
       }
     }
     state->setFillColor(&color);
@@ -1576,6 +1580,8 @@ void Gfx::opSetStrokeColorN(Object args[], int numArgs) {
       for (i = 0; i < numArgs - 1 && i < gfxColorMaxComps; ++i) {
 	if (args[i].isNum()) {
 	  color.c[i] = dblToCol(args[i].getNum());
+	} else {
+	  color.c[i] = 0; // TODO Investigate if this is what Adobe does
 	}
       }
       state->setStrokeColor(&color);
@@ -1595,6 +1601,8 @@ void Gfx::opSetStrokeColorN(Object args[], int numArgs) {
     for (i = 0; i < numArgs && i < gfxColorMaxComps; ++i) {
       if (args[i].isNum()) {
 	color.c[i] = dblToCol(args[i].getNum());
+      } else {
+        color.c[i] = 0; // TODO Investigate if this is what Adobe does
       }
     }
     state->setStrokeColor(&color);
commit 01c85c08305bae16242f5979ab107fa5bb5f5100
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Sep 21 19:04:37 2010 +0100

    Forgot my (C) here

diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc
index 128dbb9..abca820 100644
--- a/poppler/Decrypt.cc
+++ b/poppler/Decrypt.cc
@@ -14,7 +14,7 @@
 // under GPL version 2 or later
 //
 // Copyright (C) 2008 Julien Rebetez <julien at fhtagn.net>
-// Copyright (C) 2008 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2008, 2010 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2009 Matthias Franz <matthias at ktug.or.kr>
 // Copyright (C) 2009 David Benjamin <davidben at mit.edu>
 //
commit bf2055088a3a2d3bb3d3c37d464954ec1a25771f
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Sep 21 19:03:19 2010 +0100

    Properly initialize stack
    
    Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group

diff --git a/poppler/Function.cc b/poppler/Function.cc
index b7c23fe..b28ee3d 100644
--- a/poppler/Function.cc
+++ b/poppler/Function.cc
@@ -1108,6 +1108,7 @@ PostScriptFunction::PostScriptFunction(Object *funcObj, Dict *dict) {
   code = NULL;
   codeString = NULL;
   codeSize = 0;
+  stack = NULL;
   ok = gFalse;
   cache = new PopplerCache(5);
 
commit e853106b58d6b4b0467dbd6436c9bb1cfbd372cf
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Sep 21 19:01:36 2010 +0100

    Properly initialize parser
    
    Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group

diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index fc004b8..919086e 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -536,6 +536,7 @@ Gfx::Gfx(XRef *xrefA, OutputDev *outA, int pageNum, Dict *resDict, Catalog *cata
   drawText = gFalse;
   maskHaveCSPattern = gFalse;
   mcStack = NULL;
+  parser = NULL;
 
   // start the resource stack
   res = new GfxResources(xref, resDict, NULL);
@@ -590,6 +591,7 @@ Gfx::Gfx(XRef *xrefA, OutputDev *outA, Dict *resDict, Catalog *catalogA,
   drawText = gFalse;
   maskHaveCSPattern = gFalse;
   mcStack = NULL;
+  parser = NULL;
 
   // start the resource stack
   res = new GfxResources(xref, resDict, NULL);
commit 3422638b2a39cbdd33a114a7d7debc0a5f688501
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Sep 21 18:58:43 2010 +0100

    Fix crash in broken pdf (parser->getStream() is 0)
    
    Found thanks to PDF provided by Joel Voss of Leviathan Security Group

diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 50870cc..fc004b8 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -4449,8 +4449,13 @@ Stream *Gfx::buildImageStream() {
   obj.free();
 
   // make stream
-  str = new EmbedStream(parser->getStream(), &dict, gFalse, 0);
-  str = str->addFilters(&dict);
+  if (parser->getStream()) {
+    str = new EmbedStream(parser->getStream(), &dict, gFalse, 0);
+    str = str->addFilters(&dict);
+  } else {
+    str = NULL;
+    dict.free();
+  }
 
   return str;
 }
commit a2dab0238a69240dad08eca2083110b52ce488b7
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Sep 21 18:55:51 2010 +0100

    Initialize properly charactersRead
    
    It is possible that there are calls to getPos before reset
    Found thanks to PDF provided by Joel Voss of Leviathan Security Group

diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc
index ca294d3..128dbb9 100644
--- a/poppler/Decrypt.cc
+++ b/poppler/Decrypt.cc
@@ -229,6 +229,8 @@ DecryptStream::DecryptStream(Stream *strA, Guchar *fileKey,
   if ((objKeyLength = keyLength + 5) > 16) {
     objKeyLength = 16;
   }
+
+  charactersRead = 0;
 }
 
 DecryptStream::~DecryptStream() {
commit 39d140bfc0b8239bdd96d6a55842034ae5c05473
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Sep 21 18:54:31 2010 +0100

    Fix crash in broken pdf (code < 0)
    
    Found thanks to PDF provided by Joel Voss of Leviathan Security Group

diff --git a/fofi/FoFiType1.cc b/fofi/FoFiType1.cc
index 25bdc0e..3fe7f4f 100644
--- a/fofi/FoFiType1.cc
+++ b/fofi/FoFiType1.cc
@@ -13,7 +13,7 @@
 // All changes made under the Poppler project to this file are licensed
 // under GPL version 2 or later
 //
-// Copyright (C) 2005, 2008 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2005, 2008, 2010 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2005 Kristian Høgsberg <krh at redhat.com>
 // Copyright (C) 2010 Jakub Wilk <ubanus at users.sf.net>
 //
@@ -31,6 +31,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include "goo/gmem.h"
+#include "goo/GooLikely.h"
 #include "FoFiEncodings.h"
 #include "FoFiType1.h"
 #include "poppler/Error.h"
@@ -243,7 +244,7 @@ void FoFiType1::parse() {
 		code = code * 8 + (*p2 - '0');
 	      }
 	    }
-	    if (code < 256) {
+	    if (likely(code < 256 && code >= 0)) {
 	      for (p = p2; *p == ' ' || *p == '\t'; ++p) ;
 	      if (*p == '/') {
 		++p;
commit c6a091512745771894b54a71613fd6b5ca1adcb3
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Sep 21 18:50:25 2010 +0100

    Fix memory leak
    
    Found thanks to PDF provided by Joel Voss of Leviathan Security Group

diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 988f99a..0fb3884 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -599,6 +599,7 @@ GBool StreamPredictor::getNextLine() {
 	// last partial line
 	break;
       }
+      delete[] rawCharLine;
       return gFalse;
     }
     switch (curPred) {


More information about the poppler mailing list