[poppler] Branch 'poppler-0.20' - 11 commits - fofi/FoFiType1C.cc fofi/FoFiType1C.h poppler/DCTStream.cc poppler/Form.cc poppler/Function.cc poppler/Gfx.cc poppler/JBIG2Stream.cc poppler/XRef.cc splash/SplashClip.cc splash/SplashXPathScanner.cc

Albert Astals Cid aacid at kemper.freedesktop.org
Sun Sep 9 14:26:27 PDT 2012


 fofi/FoFiType1C.cc           |   25 +++++++++++++++++--------
 fofi/FoFiType1C.h            |    2 ++
 poppler/DCTStream.cc         |    6 +++++-
 poppler/Form.cc              |    2 +-
 poppler/Function.cc          |    5 +++++
 poppler/Gfx.cc               |    5 +++++
 poppler/JBIG2Stream.cc       |    8 ++++++++
 poppler/XRef.cc              |    6 ++++++
 splash/SplashClip.cc         |   23 +++++++++++++++++++++++
 splash/SplashXPathScanner.cc |    3 +++
 10 files changed, 75 insertions(+), 10 deletions(-)

New commits:
commit 558a7d9b046bbbe185dea263b48a3cb2664378fc
Author: Thomas Freitag <Thomas.Freitag at alfa.de>
Date:   Sun Sep 9 23:25:47 2012 +0200

    Fix invalid memory access in solves 1066.pdf.asan.38.75

diff --git a/splash/SplashClip.cc b/splash/SplashClip.cc
index 41b73c8..fb18831 100644
--- a/splash/SplashClip.cc
+++ b/splash/SplashClip.cc
@@ -384,4 +384,27 @@ void SplashClip::clipAALine(SplashBitmap *aaBuf, int *x0, int *x1, int y) {
   for (i = 0; i < length; ++i) {
     scanners[i]->clipAALine(aaBuf, x0, x1, y);
   }
+  if (*x0 > *x1) {
+    *x0 = *x1;
+  }
+  if (*x0 < 0) {
+    *x0 = 0;
+  }
+  if ((*x0>>1) >= aaBuf->getRowSize()) {
+    xx0 = *x0;
+    *x0 = (aaBuf->getRowSize() - 1) << 1;
+    if (xx0 & 1) {
+      *x0 = *x0 + 1;
+    }
+  }
+  if (*x1 < *x0) {
+    *x1 = *x0;
+  }
+  if ((*x1>>1) >= aaBuf->getRowSize()) {
+    xx0 = *x1;
+    *x1 = (aaBuf->getRowSize() - 1) << 1;
+    if (xx0 & 1) {
+      *x1 = *x1 + 1;
+    }
+  }
 }
diff --git a/splash/SplashXPathScanner.cc b/splash/SplashXPathScanner.cc
index c9fe5e5..738cef7 100644
--- a/splash/SplashXPathScanner.cc
+++ b/splash/SplashXPathScanner.cc
@@ -441,6 +441,9 @@ void SplashXPathScanner::renderAALine(SplashBitmap *aaBuf,
       }
     }
   }
+  if (xxMin > xxMax) {
+    xxMin = xxMax;
+  }
   *x0 = xxMin / splashAASize;
   *x1 = (xxMax - 1) / splashAASize;
 }
commit d0df8e54512f584ca2b3edbae1c19e167948e5c3
Author: Thomas Freitag <Thomas.Freitag at alfa.de>
Date:   Sun Sep 9 23:21:38 2012 +0200

    Fix invalid memory access in 1106.pdf.asan.30.120.patch

diff --git a/poppler/Function.cc b/poppler/Function.cc
index 25e8f74..2c3aa8a 100644
--- a/poppler/Function.cc
+++ b/poppler/Function.cc
@@ -17,6 +17,7 @@
 // Copyright (C) 2006 Jeff Muizelaar <jeff at infidigm.net>
 // Copyright (C) 2010 Christian Feuersänger <cfeuersaenger at googlemail.com>
 // Copyright (C) 2011 Andrea Canciani <ranma42 at gmail.com>
+// Copyright (C) 2012 Thomas Freitag <Thomas.Freitag at alfa.de>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -1010,6 +1011,10 @@ public:
       return;
     }
     --sp;
+    if (sp + i + 1 >= psStackSize) {
+      error(errSyntaxError, -1, "Stack underflow in PostScript function");
+      return;
+    }
     stack[sp] = stack[sp + 1 + i];
   }
   void pop()
commit 86b89864396a1dcf027e5793e6ac75411977bcf9
Author: Thomas Freitag <Thomas.Freitag at kabelmail.de>
Date:   Sun Sep 9 23:08:49 2012 +0200

    Fix crash in 1255.pdf.SIGSEGV.56f.285

diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index 3564807..9a0c900 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -719,6 +719,10 @@ GBool XRef::readXRefStreamSection(Stream *xrefStr, int *w, int first, int n) {
       error(errSyntaxError, -1, "Invalid 'size' inside xref table");
       return gFalse;
     }
+    if (first + n > size) {
+      error(errSyntaxError, -1, "Invalid 'first' or 'n' inside xref table");
+      return gFalse;
+    }
   }
   for (i = first; i < first + n; ++i) {
     if (w[0] == 0) {
@@ -1085,6 +1089,8 @@ Object *XRef::fetch(int num, int gen, Object *obj, int recursion) {
 	objStr = NULL;
 	goto err;
       } else {
+	// XRef could be reconstructed in constructor of ObjectStream:
+	e = getEntry(num);
 	ObjectStreamKey *newkey = new ObjectStreamKey(e->offset);
 	ObjectStreamItem *newitem = new ObjectStreamItem(objStr);
 	objStrs->put(newkey, newitem);
commit 96931732f343d2bbda9af9488b485da031866c3b
Author: Thomas Freitag <Thomas.Freitag at alfa.de>
Date:   Sun Sep 9 22:47:57 2012 +0200

    Fix invalid memory access in 61.pdf.asan.13.95

diff --git a/fofi/FoFiType1C.cc b/fofi/FoFiType1C.cc
index d0ea888..c4595a3 100644
--- a/fofi/FoFiType1C.cc
+++ b/fofi/FoFiType1C.cc
@@ -14,6 +14,7 @@
 // under GPL version 2 or later
 //
 // Copyright (C) 2009, 2010 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2012 Thomas Freitag <Thomas.Freitag at alfa.de>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -78,6 +79,7 @@ FoFiType1C::FoFiType1C(char *fileA, int lenA, GBool freeFileDataA):
   privateDicts = NULL;
   fdSelect = NULL;
   charset = NULL;
+  charsetLength = 0;
 }
 
 FoFiType1C::~FoFiType1C() {
@@ -121,6 +123,8 @@ GooString *FoFiType1C::getGlyphName(int gid) {
   GBool ok;
 
   ok = gTrue;
+  if (gid < 0 || gid >= charsetLength)
+    return NULL;
   getString(charset[gid], buf, &ok);
   if (!ok) {
     return NULL;
@@ -141,7 +145,7 @@ int *FoFiType1C::getCIDToGIDMap(int *nCIDs) {
   // in a CID font, the charset data is the GID-to-CID mapping, so all
   // we have to do is reverse it
   n = 0;
-  for (i = 0; i < nGlyphs; ++i) {
+  for (i = 0; i < nGlyphs && i < charsetLength; ++i) {
     if (charset[i] > n) {
       n = charset[i];
     }
@@ -461,7 +465,7 @@ void FoFiType1C::convertToType1(char *psName, const char **newEncoding, GBool as
   for (i = 0; i < nGlyphs; ++i) {
     ok = gTrue;
     getIndexVal(&charStringsIdx, i, &val, &ok);
-    if (ok) {
+    if (ok && i < charsetLength) {
       getString(charset[i], buf2, &ok);
       if (ok) {
 	eexecCvtGlyph(&eb, buf2, val.pos, val.len, &subrIdx, &privateDicts[0]);
@@ -512,7 +516,7 @@ void FoFiType1C::convertToCIDType0(char *psName, int *codeMap, int nCodes,
     }
   } else if (topDict.firstOp == 0x0c1e) {
     nCIDs = 0;
-    for (i = 0; i < nGlyphs; ++i) {
+    for (i = 0; i < nGlyphs && i < charsetLength; ++i) {
       if (charset[i] >= nCIDs) {
 	nCIDs = charset[i] + 1;
       }
@@ -521,7 +525,7 @@ void FoFiType1C::convertToCIDType0(char *psName, int *codeMap, int nCodes,
     for (i = 0; i < nCIDs; ++i) {
       cidMap[i] = -1;
     }
-    for (i = 0; i < nGlyphs; ++i) {
+    for (i = 0; i < nGlyphs && i < charsetLength; ++i) {
       cidMap[charset[i]] = i;
     }
   } else {
@@ -855,7 +859,7 @@ void FoFiType1C::convertToType0(char *psName, int *codeMap, int nCodes,
     }
   } else if (topDict.firstOp == 0x0c1e) {
     nCIDs = 0;
-    for (i = 0; i < nGlyphs; ++i) {
+    for (i = 0; i < nGlyphs && i < charsetLength; ++i) {
       if (charset[i] >= nCIDs) {
 	nCIDs = charset[i] + 1;
       }
@@ -864,7 +868,7 @@ void FoFiType1C::convertToType0(char *psName, int *codeMap, int nCodes,
     for (i = 0; i < nCIDs; ++i) {
       cidMap[i] = -1;
     }
-    for (i = 0; i < nGlyphs; ++i) {
+    for (i = 0; i < nGlyphs && i < charsetLength; ++i) {
       cidMap[charset[i]] = i;
     }
   } else {
@@ -2415,7 +2419,7 @@ void FoFiType1C::buildEncoding() {
       if (nCodes > nGlyphs) {
 	nCodes = nGlyphs;
       }
-      for (i = 1; i < nCodes; ++i) {
+      for (i = 1; i < nCodes && i < charsetLength; ++i) {
 	c = getU8(pos++, &parsedOk);
 	if (!parsedOk) {
 	  return;
@@ -2437,7 +2441,7 @@ void FoFiType1C::buildEncoding() {
 	if (!parsedOk) {
 	  return;
 	}
-	for (j = 0; j <= nLeft && nCodes < nGlyphs; ++j) {
+	for (j = 0; j <= nLeft && nCodes < nGlyphs && nCodes < charsetLength; ++j) {
 	  if (c < 256) {
 	    if (encoding[c]) {
 	      gfree(encoding[c]);
@@ -2480,12 +2484,16 @@ GBool FoFiType1C::readCharset() {
 
   if (topDict.charsetOffset == 0) {
     charset = fofiType1CISOAdobeCharset;
+    charsetLength = sizeof(fofiType1CISOAdobeCharset) / sizeof(Gushort);
   } else if (topDict.charsetOffset == 1) {
     charset = fofiType1CExpertCharset;
+    charsetLength = sizeof(fofiType1CExpertCharset) / sizeof(Gushort);
   } else if (topDict.charsetOffset == 2) {
     charset = fofiType1CExpertSubsetCharset;
+    charsetLength = sizeof(fofiType1CExpertSubsetCharset) / sizeof(Gushort);
   } else {
     charset = (Gushort *)gmallocn(nGlyphs, sizeof(Gushort));
+    charsetLength = nGlyphs;
     for (i = 0; i < nGlyphs; ++i) {
       charset[i] = 0;
     }
@@ -2530,6 +2538,7 @@ GBool FoFiType1C::readCharset() {
     if (!parsedOk) {
       gfree(charset);
       charset = NULL;
+      charsetLength = 0;
       return gFalse;
     }
   }
diff --git a/fofi/FoFiType1C.h b/fofi/FoFiType1C.h
index b9e1933..698dccd 100644
--- a/fofi/FoFiType1C.h
+++ b/fofi/FoFiType1C.h
@@ -14,6 +14,7 @@
 // under GPL version 2 or later
 //
 // Copyright (C) 2006 Takashi Iwai <tiwai at suse.de>
+// Copyright (C) 2012 Thomas Freitag <Thomas.Freitag at alfa.de>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -250,6 +251,7 @@ private:
   int nFDs;
   Guchar *fdSelect;
   Gushort *charset;
+  Gushort charsetLength;
   int gsubrBias;
 
   GBool parsedOk;
commit 26917d69c4da6a110db02b120133c36579fbb17c
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sun Sep 9 22:23:36 2012 +0200

    Add unlikely

diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 661ec3d..4e663b4 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -1671,7 +1671,7 @@ void Gfx::opSetStrokeColorN(Object args[], int numArgs) {
       state->setStrokeColor(&color);
       out->updateStrokeColor(state);
     }
-    if (numArgs <= 0) {
+    if (unlikely(numArgs <= 0)) {
       error(errSyntaxError, getPos(), "Incorrect number of arguments in 'SCN' command");
       return;
     }
commit e6a3c797c01aa343f640f2e6f45de5bf379aa8ad
Author: Thomas Freitag <Thomas.Freitag at alfa.de>
Date:   Sun Sep 9 22:22:59 2012 +0200

    Fix wrong memory access in 68.pdf.asan.7.1030

diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index ffe7486..661ec3d 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -1671,6 +1671,10 @@ void Gfx::opSetStrokeColorN(Object args[], int numArgs) {
       state->setStrokeColor(&color);
       out->updateStrokeColor(state);
     }
+    if (numArgs <= 0) {
+      error(errSyntaxError, getPos(), "Incorrect number of arguments in 'SCN' command");
+      return;
+    }
     if (args[numArgs-1].isName() &&
 	(pattern = res->lookupPattern(args[numArgs-1].getName(), this))) {
       state->setStrokePattern(pattern);
commit 48fe18cf277cd2a4e665c74b3a594482f762f4b6
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sun Sep 9 22:09:44 2012 +0200

    Fix memory leak

diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index d7684d6..ffe7486 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -4356,6 +4356,7 @@ void Gfx::doImage(Object *ref, Stream *str, GBool inlineImg) {
       dict->lookup("D", &obj1);
     }
     if (bits == 0) {
+      delete colorSpace;
       goto err2;
     }
     colorMap = new GfxImageColorMap(bits, &obj1, colorSpace);
commit b87aafc0cdb36c3555053f2684c45f1a9d7b2f94
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sun Sep 9 21:42:48 2012 +0200

    Add unlikelys to the ifs

diff --git a/poppler/DCTStream.cc b/poppler/DCTStream.cc
index cc2d325..6302c8b 100644
--- a/poppler/DCTStream.cc
+++ b/poppler/DCTStream.cc
@@ -5,7 +5,7 @@
 // This file is licensed under the GPLv2 or later
 //
 // Copyright 2005 Jeff Muizelaar <jeff at infidigm.net>
-// Copyright 2005-2010 Albert Astals Cid <aacid at kde.org>
+// Copyright 2005-2010, 2012 Albert Astals Cid <aacid at kde.org>
 // Copyright 2009 Ryszard Trojnacki <rysiek at menel.com>
 // Copyright 2010 Carlos Garcia Campos <carlosgc at gnome.org>
 // Copyright 2011 Daiki Ueno <ueno at unixuser.org>
@@ -223,7 +223,7 @@ int DCTStream::getChars(int nChars, Guchar *buffer) {
 }
 
 int DCTStream::lookChar() {
-  if (current == NULL) {
+  if (unlikely(current == NULL)) {
     return EOF;
   }
   return *current;
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 587ef38..78a205d 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -720,7 +720,7 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, int wA, int hA):
 JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
   JBIG2Segment(segNumA)
 {
-  if (!bitmap) {
+  if (unlikely(bitmap == NULL)) {
     error(errSyntaxError, -1, "NULL bitmap in JBIG2Bitmap");
     w = h = line = 0;
     data = NULL;
commit a019eef2f8ca53addd7ccab7f9c47657f4e52286
Author: Thomas Freitag <Thomas.Freitag at alfa.de>
Date:   Sun Sep 9 21:41:09 2012 +0200

    Fix crash in 1162.pdf.SIGSEGV.28e.182

diff --git a/poppler/DCTStream.cc b/poppler/DCTStream.cc
index 90a1377..cc2d325 100644
--- a/poppler/DCTStream.cc
+++ b/poppler/DCTStream.cc
@@ -10,6 +10,7 @@
 // Copyright 2010 Carlos Garcia Campos <carlosgc at gnome.org>
 // Copyright 2011 Daiki Ueno <ueno at unixuser.org>
 // Copyright 2011 Tomas Hoger <thoger at redhat.com>
+// Copyright 2012 Thomas Freitag <Thomas.Freitag at alfa.de>
 //
 //========================================================================
 
@@ -222,6 +223,9 @@ int DCTStream::getChars(int nChars, Guchar *buffer) {
 }
 
 int DCTStream::lookChar() {
+  if (current == NULL) {
+    return EOF;
+  }
   return *current;
 }
 
commit ad7c6ac88f2315c9ce003308d1b4988592d4434b
Author: William Bader <williambader at hotmail.com>
Date:   Sun Sep 9 21:31:58 2012 +0200

    Fix crash in 1028.pdf.SIGSEGV.ae6.33

diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index a8486a3..587ef38 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -18,6 +18,7 @@
 // Copyright (C) 2006-2010, 2012 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2009 David Benjamin <davidben at mit.edu>
 // Copyright (C) 2011 Edward Jiang <ejiang at google.com>
+// Copyright (C) 2012 William Bader <williambader at hotmail.com>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -719,6 +720,13 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, int wA, int hA):
 JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
   JBIG2Segment(segNumA)
 {
+  if (!bitmap) {
+    error(errSyntaxError, -1, "NULL bitmap in JBIG2Bitmap");
+    w = h = line = 0;
+    data = NULL;
+    return;
+  }
+
   w = bitmap->w;
   h = bitmap->h;
   line = bitmap->line;
commit b861af714daee4125e54b250dddf82106f5a8ce8
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sun Sep 9 21:15:06 2012 +0200

    Fix memory leak

diff --git a/poppler/Form.cc b/poppler/Form.cc
index 99d7bbb..7d32ae0 100644
--- a/poppler/Form.cc
+++ b/poppler/Form.cc
@@ -521,8 +521,8 @@ FormField::FormField(PDFDoc *docA, Object *aobj, const Ref& aref, FormField *par
     obj1.free();
     if (dict->lookup("Subtype", &obj1)->isName("Widget"))
       _createWidget(&obj, ref);
-    obj1.free();
   }
+  obj1.free();
 
   //flags
   if (Form::fieldLookup(dict, "Ff", &obj1)->isInt()) {


More information about the poppler mailing list