[poppler] 13 commits - fofi/FoFiType1.cc poppler/Decrypt.cc poppler/Dict.h poppler/Form.cc poppler/Function.cc poppler/Gfx.cc poppler/Stream.cc
Albert Astals Cid
aacid at kemper.freedesktop.org
Tue Sep 21 11:20:23 PDT 2010
fofi/FoFiType1.cc | 5 +++--
poppler/Decrypt.cc | 4 +++-
poppler/Dict.h | 3 +++
poppler/Form.cc | 32 +++++++++++++++++++++++++++-----
poppler/Function.cc | 7 ++++++-
poppler/Gfx.cc | 39 +++++++++++++++++++++++++++++++++------
poppler/Stream.cc | 1 +
7 files changed, 76 insertions(+), 15 deletions(-)
New commits:
commit d2578bd66129466b2dd114b6407c147598e09d2b
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Sep 21 19:19:27 2010 +0100
Avoid loops in Form::fieldLookup
Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group
diff --git a/poppler/Dict.h b/poppler/Dict.h
index bb747d5..a76bc89 100644
--- a/poppler/Dict.h
+++ b/poppler/Dict.h
@@ -16,6 +16,7 @@
// Copyright (C) 2005 Kristian Høgsberg <krh at redhat.com>
// Copyright (C) 2006 Krzysztof Kowalczyk <kkowalczyk at gmail.com>
// Copyright (C) 2007-2008 Julien Rebetez <julienr at svn.gnome.org>
+// Copyright (C) 2010 Albert Astals Cid <aacid at kde.org>
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -83,6 +84,8 @@ public:
// trailer dictionary, which is read before the xref table is
// parsed.
void setXRef(XRef *xrefA) { xref = xrefA; }
+
+ XRef *getXRef() { return xref; }
private:
diff --git a/poppler/Form.cc b/poppler/Form.cc
index 21ca672..ae9c509 100644
--- a/poppler/Form.cc
+++ b/poppler/Form.cc
@@ -22,6 +22,7 @@
#pragma implementation
#endif
+#include <set>
#include <stddef.h>
#include <string.h>
#include "goo/gmem.h"
@@ -1181,7 +1182,7 @@ Form::~Form() {
}
// Look up an inheritable field dictionary entry.
-Object *Form::fieldLookup(Dict *field, char *key, Object *obj) {
+static Object *fieldLookup(Dict *field, char *key, Object *obj, std::set<int> *usedParents) {
Dict *dict;
Object parent;
@@ -1190,8 +1191,23 @@ Object *Form::fieldLookup(Dict *field, char *key, Object *obj) {
return obj;
}
obj->free();
- if (dict->lookup("Parent", &parent)->isDict()) {
- fieldLookup(parent.getDict(), key, obj);
+ dict->lookupNF("Parent", &parent);
+ if (parent.isRef()) {
+ const Ref ref = parent.getRef();
+ if (usedParents->find(ref.num) == usedParents->end()) {
+ usedParents->insert(ref.num);
+
+ Object obj2;
+ parent.fetch(dict->getXRef(), &obj2);
+ if (obj2.isDict()) {
+ fieldLookup(obj2.getDict(), key, obj, usedParents);
+ } else {
+ obj->initNull();
+ }
+ obj2.free();
+ }
+ } else if (parent.isDict()) {
+ fieldLookup(parent.getDict(), key, obj, usedParents);
} else {
obj->initNull();
}
@@ -1199,6 +1215,11 @@ Object *Form::fieldLookup(Dict *field, char *key, Object *obj) {
return obj;
}
+Object *Form::fieldLookup(Dict *field, char *key, Object *obj) {
+ std::set<int> usedParents;
+ return ::fieldLookup(field, key, obj, &usedParents);
+}
+
FormField *Form::createFieldFromDict (Object* obj, XRef *xrefA, const Ref& pref)
{
Object obj2;
commit 2fe825deac055be82b220d0127169cb3d61387a8
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Sep 21 19:15:25 2010 +0100
Make sure obj1 is a num before reading it
Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group
diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 7b85d79..76dae02 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -4235,8 +4235,14 @@ void Gfx::doForm(Object *str) {
}
for (i = 0; i < 4; ++i) {
bboxObj.arrayGet(i, &obj1);
- bbox[i] = obj1.getNum();
- obj1.free();
+ if (likely(obj1.isNum())) {
+ bbox[i] = obj1.getNum();
+ obj1.free();
+ } else {
+ obj1.free();
+ error(getPos(), "Bad form bounding box value");
+ return;
+ }
}
bboxObj.free();
@@ -4666,8 +4672,14 @@ void Gfx::drawAnnot(Object *str, AnnotBorder *border, AnnotColor *aColor,
}
for (i = 0; i < 4; ++i) {
bboxObj.arrayGet(i, &obj1);
- bbox[i] = obj1.getNum();
- obj1.free();
+ if (likely(obj1.isNum())) {
+ bbox[i] = obj1.getNum();
+ obj1.free();
+ } else {
+ obj1.free();
+ error(getPos(), "Bad form bounding box value");
+ return;
+ }
}
bboxObj.free();
commit 473de6f88a055bb03470b4af5fa584be8cb5fda4
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Sep 21 19:11:42 2010 +0100
Fix memory leak if obj2 is not a dict
Found thanks to PDF provided by Joel Voss of Leviathan Security Group
diff --git a/poppler/Form.cc b/poppler/Form.cc
index 4df8a7d..21ca672 100644
--- a/poppler/Form.cc
+++ b/poppler/Form.cc
@@ -715,13 +715,14 @@ FormField::FormField(XRef* xrefA, Object *aobj, const Ref& aref, FormFieldType t
// Load children
for(int i=0; i<length; i++) {
Object obj2,obj3;
- Object childRef;
array->get(i, &obj2);
- array->getNF(i, &childRef);
if (!obj2.isDict ()) {
error (-1, "Reference to an invalid or non existant object");
+ obj2.free();
continue;
}
+ Object childRef;
+ array->getNF(i, &childRef);
//field child
if (dict->lookup ("FT", &obj3)->isName()) {
// If I'm not a generic container field and my children
commit 9706e28657ff7ea52aa69d9efb3f91d0cfaee70b
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Sep 21 19:09:37 2010 +0100
Fix crash when idx is out of range
Found thanks to PDF provided by Joel Voss of Leviathan Security Group
diff --git a/poppler/Function.cc b/poppler/Function.cc
index ea35b7b..e7383fd 100644
--- a/poppler/Function.cc
+++ b/poppler/Function.cc
@@ -425,7 +425,7 @@ void SampledFunction::transform(double *in, double *out) {
if (likely(idx >= 0 && idx < nSamples)) {
sBuf[j] = samples[idx];
} else {
- sBuf[j] = 0;
+ sBuf[j] = 0; // TODO Investigate if this is what Adobe does
}
}
commit 26a5817ffec9f05ac63db6c5cd5b1f0871d271c7
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Sep 21 19:08:54 2010 +0100
Fix crash when idx is out of range
Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group
diff --git a/poppler/Function.cc b/poppler/Function.cc
index b28ee3d..ea35b7b 100644
--- a/poppler/Function.cc
+++ b/poppler/Function.cc
@@ -422,7 +422,11 @@ void SampledFunction::transform(double *in, double *out) {
for (k = 0, t = j; k < m; ++k, t >>= 1) {
idx += idxMul[k] * (e[k][t & 1]);
}
- sBuf[j] = samples[idx];
+ if (likely(idx >= 0 && idx < nSamples)) {
+ sBuf[j] = samples[idx];
+ } else {
+ sBuf[j] = 0;
+ }
}
// do m sets of interpolations
commit dfdf3602bde47d1be7788a44722c258bfa0c6d6e
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Sep 21 19:07:12 2010 +0100
Give a value to color.c[i]
Might not be the better solution but it's better than having a random
value there
Found thanks to PDF provided by Joel Voss of Leviathan Security Group
diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 919086e..7b85d79 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -1533,6 +1533,8 @@ void Gfx::opSetFillColorN(Object args[], int numArgs) {
for (i = 0; i < numArgs - 1 && i < gfxColorMaxComps; ++i) {
if (args[i].isNum()) {
color.c[i] = dblToCol(args[i].getNum());
+ } else {
+ color.c[i] = 0; // TODO Investigate if this is what Adobe does
}
}
state->setFillColor(&color);
@@ -1552,6 +1554,8 @@ void Gfx::opSetFillColorN(Object args[], int numArgs) {
for (i = 0; i < numArgs && i < gfxColorMaxComps; ++i) {
if (args[i].isNum()) {
color.c[i] = dblToCol(args[i].getNum());
+ } else {
+ color.c[i] = 0; // TODO Investigate if this is what Adobe does
}
}
state->setFillColor(&color);
@@ -1576,6 +1580,8 @@ void Gfx::opSetStrokeColorN(Object args[], int numArgs) {
for (i = 0; i < numArgs - 1 && i < gfxColorMaxComps; ++i) {
if (args[i].isNum()) {
color.c[i] = dblToCol(args[i].getNum());
+ } else {
+ color.c[i] = 0; // TODO Investigate if this is what Adobe does
}
}
state->setStrokeColor(&color);
@@ -1595,6 +1601,8 @@ void Gfx::opSetStrokeColorN(Object args[], int numArgs) {
for (i = 0; i < numArgs && i < gfxColorMaxComps; ++i) {
if (args[i].isNum()) {
color.c[i] = dblToCol(args[i].getNum());
+ } else {
+ color.c[i] = 0; // TODO Investigate if this is what Adobe does
}
}
state->setStrokeColor(&color);
commit 01c85c08305bae16242f5979ab107fa5bb5f5100
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Sep 21 19:04:37 2010 +0100
Forgot my (C) here
diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc
index 128dbb9..abca820 100644
--- a/poppler/Decrypt.cc
+++ b/poppler/Decrypt.cc
@@ -14,7 +14,7 @@
// under GPL version 2 or later
//
// Copyright (C) 2008 Julien Rebetez <julien at fhtagn.net>
-// Copyright (C) 2008 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2008, 2010 Albert Astals Cid <aacid at kde.org>
// Copyright (C) 2009 Matthias Franz <matthias at ktug.or.kr>
// Copyright (C) 2009 David Benjamin <davidben at mit.edu>
//
commit bf2055088a3a2d3bb3d3c37d464954ec1a25771f
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Sep 21 19:03:19 2010 +0100
Properly initialize stack
Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group
diff --git a/poppler/Function.cc b/poppler/Function.cc
index b7c23fe..b28ee3d 100644
--- a/poppler/Function.cc
+++ b/poppler/Function.cc
@@ -1108,6 +1108,7 @@ PostScriptFunction::PostScriptFunction(Object *funcObj, Dict *dict) {
code = NULL;
codeString = NULL;
codeSize = 0;
+ stack = NULL;
ok = gFalse;
cache = new PopplerCache(5);
commit e853106b58d6b4b0467dbd6436c9bb1cfbd372cf
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Sep 21 19:01:36 2010 +0100
Properly initialize parser
Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group
diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index fc004b8..919086e 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -536,6 +536,7 @@ Gfx::Gfx(XRef *xrefA, OutputDev *outA, int pageNum, Dict *resDict, Catalog *cata
drawText = gFalse;
maskHaveCSPattern = gFalse;
mcStack = NULL;
+ parser = NULL;
// start the resource stack
res = new GfxResources(xref, resDict, NULL);
@@ -590,6 +591,7 @@ Gfx::Gfx(XRef *xrefA, OutputDev *outA, Dict *resDict, Catalog *catalogA,
drawText = gFalse;
maskHaveCSPattern = gFalse;
mcStack = NULL;
+ parser = NULL;
// start the resource stack
res = new GfxResources(xref, resDict, NULL);
commit 3422638b2a39cbdd33a114a7d7debc0a5f688501
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Sep 21 18:58:43 2010 +0100
Fix crash in broken pdf (parser->getStream() is 0)
Found thanks to PDF provided by Joel Voss of Leviathan Security Group
diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 50870cc..fc004b8 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -4449,8 +4449,13 @@ Stream *Gfx::buildImageStream() {
obj.free();
// make stream
- str = new EmbedStream(parser->getStream(), &dict, gFalse, 0);
- str = str->addFilters(&dict);
+ if (parser->getStream()) {
+ str = new EmbedStream(parser->getStream(), &dict, gFalse, 0);
+ str = str->addFilters(&dict);
+ } else {
+ str = NULL;
+ dict.free();
+ }
return str;
}
commit a2dab0238a69240dad08eca2083110b52ce488b7
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Sep 21 18:55:51 2010 +0100
Initialize properly charactersRead
It is possible that there are calls to getPos before reset
Found thanks to PDF provided by Joel Voss of Leviathan Security Group
diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc
index ca294d3..128dbb9 100644
--- a/poppler/Decrypt.cc
+++ b/poppler/Decrypt.cc
@@ -229,6 +229,8 @@ DecryptStream::DecryptStream(Stream *strA, Guchar *fileKey,
if ((objKeyLength = keyLength + 5) > 16) {
objKeyLength = 16;
}
+
+ charactersRead = 0;
}
DecryptStream::~DecryptStream() {
commit 39d140bfc0b8239bdd96d6a55842034ae5c05473
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Sep 21 18:54:31 2010 +0100
Fix crash in broken pdf (code < 0)
Found thanks to PDF provided by Joel Voss of Leviathan Security Group
diff --git a/fofi/FoFiType1.cc b/fofi/FoFiType1.cc
index 25bdc0e..3fe7f4f 100644
--- a/fofi/FoFiType1.cc
+++ b/fofi/FoFiType1.cc
@@ -13,7 +13,7 @@
// All changes made under the Poppler project to this file are licensed
// under GPL version 2 or later
//
-// Copyright (C) 2005, 2008 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2005, 2008, 2010 Albert Astals Cid <aacid at kde.org>
// Copyright (C) 2005 Kristian Høgsberg <krh at redhat.com>
// Copyright (C) 2010 Jakub Wilk <ubanus at users.sf.net>
//
@@ -31,6 +31,7 @@
#include <stdlib.h>
#include <string.h>
#include "goo/gmem.h"
+#include "goo/GooLikely.h"
#include "FoFiEncodings.h"
#include "FoFiType1.h"
#include "poppler/Error.h"
@@ -243,7 +244,7 @@ void FoFiType1::parse() {
code = code * 8 + (*p2 - '0');
}
}
- if (code < 256) {
+ if (likely(code < 256 && code >= 0)) {
for (p = p2; *p == ' ' || *p == '\t'; ++p) ;
if (*p == '/') {
++p;
commit c6a091512745771894b54a71613fd6b5ca1adcb3
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Sep 21 18:50:25 2010 +0100
Fix memory leak
Found thanks to PDF provided by Joel Voss of Leviathan Security Group
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 988f99a..0fb3884 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -599,6 +599,7 @@ GBool StreamPredictor::getNextLine() {
// last partial line
break;
}
+ delete[] rawCharLine;
return gFalse;
}
switch (curPred) {
More information about the poppler
mailing list