[poppler] 12 commits - fofi/FoFiType1C.cc fofi/FoFiType1C.h poppler/DCTStream.cc poppler/Form.cc poppler/Function.cc poppler/Gfx.cc poppler/JBIG2Stream.cc poppler/XRef.cc splash/SplashClip.cc splash/SplashXPathScanner.cc
Albert Astals Cid
aacid at kemper.freedesktop.org
Sun Sep 9 14:27:52 PDT 2012
fofi/FoFiType1C.cc | 25 +++++++++++++++++--------
fofi/FoFiType1C.h | 2 ++
poppler/DCTStream.cc | 6 +++++-
poppler/Form.cc | 2 +-
poppler/Function.cc | 5 +++++
poppler/Gfx.cc | 5 +++++
poppler/JBIG2Stream.cc | 8 ++++++++
poppler/XRef.cc | 6 ++++++
splash/SplashClip.cc | 23 +++++++++++++++++++++++
splash/SplashXPathScanner.cc | 3 +++
10 files changed, 75 insertions(+), 10 deletions(-)
New commits:
commit 6c40a553a3c8825931c59797059392fd110531cc
Merge: 17fc1bf... 558a7d9...
Author: Albert Astals Cid <aacid at kde.org>
Date: Sun Sep 9 23:27:40 2012 +0200
Merge remote-tracking branch 'origin/poppler-0.20'
commit 558a7d9b046bbbe185dea263b48a3cb2664378fc
Author: Thomas Freitag <Thomas.Freitag at alfa.de>
Date: Sun Sep 9 23:25:47 2012 +0200
Fix invalid memory access in solves 1066.pdf.asan.38.75
diff --git a/splash/SplashClip.cc b/splash/SplashClip.cc
index 41b73c8..fb18831 100644
--- a/splash/SplashClip.cc
+++ b/splash/SplashClip.cc
@@ -384,4 +384,27 @@ void SplashClip::clipAALine(SplashBitmap *aaBuf, int *x0, int *x1, int y) {
for (i = 0; i < length; ++i) {
scanners[i]->clipAALine(aaBuf, x0, x1, y);
}
+ if (*x0 > *x1) {
+ *x0 = *x1;
+ }
+ if (*x0 < 0) {
+ *x0 = 0;
+ }
+ if ((*x0>>1) >= aaBuf->getRowSize()) {
+ xx0 = *x0;
+ *x0 = (aaBuf->getRowSize() - 1) << 1;
+ if (xx0 & 1) {
+ *x0 = *x0 + 1;
+ }
+ }
+ if (*x1 < *x0) {
+ *x1 = *x0;
+ }
+ if ((*x1>>1) >= aaBuf->getRowSize()) {
+ xx0 = *x1;
+ *x1 = (aaBuf->getRowSize() - 1) << 1;
+ if (xx0 & 1) {
+ *x1 = *x1 + 1;
+ }
+ }
}
diff --git a/splash/SplashXPathScanner.cc b/splash/SplashXPathScanner.cc
index c9fe5e5..738cef7 100644
--- a/splash/SplashXPathScanner.cc
+++ b/splash/SplashXPathScanner.cc
@@ -441,6 +441,9 @@ void SplashXPathScanner::renderAALine(SplashBitmap *aaBuf,
}
}
}
+ if (xxMin > xxMax) {
+ xxMin = xxMax;
+ }
*x0 = xxMin / splashAASize;
*x1 = (xxMax - 1) / splashAASize;
}
commit d0df8e54512f584ca2b3edbae1c19e167948e5c3
Author: Thomas Freitag <Thomas.Freitag at alfa.de>
Date: Sun Sep 9 23:21:38 2012 +0200
Fix invalid memory access in 1106.pdf.asan.30.120.patch
diff --git a/poppler/Function.cc b/poppler/Function.cc
index 25e8f74..2c3aa8a 100644
--- a/poppler/Function.cc
+++ b/poppler/Function.cc
@@ -17,6 +17,7 @@
// Copyright (C) 2006 Jeff Muizelaar <jeff at infidigm.net>
// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger at googlemail.com>
// Copyright (C) 2011 Andrea Canciani <ranma42 at gmail.com>
+// Copyright (C) 2012 Thomas Freitag <Thomas.Freitag at alfa.de>
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -1010,6 +1011,10 @@ public:
return;
}
--sp;
+ if (sp + i + 1 >= psStackSize) {
+ error(errSyntaxError, -1, "Stack underflow in PostScript function");
+ return;
+ }
stack[sp] = stack[sp + 1 + i];
}
void pop()
commit 86b89864396a1dcf027e5793e6ac75411977bcf9
Author: Thomas Freitag <Thomas.Freitag at kabelmail.de>
Date: Sun Sep 9 23:08:49 2012 +0200
Fix crash in 1255.pdf.SIGSEGV.56f.285
diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index 3564807..9a0c900 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -719,6 +719,10 @@ GBool XRef::readXRefStreamSection(Stream *xrefStr, int *w, int first, int n) {
error(errSyntaxError, -1, "Invalid 'size' inside xref table");
return gFalse;
}
+ if (first + n > size) {
+ error(errSyntaxError, -1, "Invalid 'first' or 'n' inside xref table");
+ return gFalse;
+ }
}
for (i = first; i < first + n; ++i) {
if (w[0] == 0) {
@@ -1085,6 +1089,8 @@ Object *XRef::fetch(int num, int gen, Object *obj, int recursion) {
objStr = NULL;
goto err;
} else {
+ // XRef could be reconstructed in constructor of ObjectStream:
+ e = getEntry(num);
ObjectStreamKey *newkey = new ObjectStreamKey(e->offset);
ObjectStreamItem *newitem = new ObjectStreamItem(objStr);
objStrs->put(newkey, newitem);
commit 96931732f343d2bbda9af9488b485da031866c3b
Author: Thomas Freitag <Thomas.Freitag at alfa.de>
Date: Sun Sep 9 22:47:57 2012 +0200
Fix invalid memory access in 61.pdf.asan.13.95
diff --git a/fofi/FoFiType1C.cc b/fofi/FoFiType1C.cc
index d0ea888..c4595a3 100644
--- a/fofi/FoFiType1C.cc
+++ b/fofi/FoFiType1C.cc
@@ -14,6 +14,7 @@
// under GPL version 2 or later
//
// Copyright (C) 2009, 2010 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2012 Thomas Freitag <Thomas.Freitag at alfa.de>
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -78,6 +79,7 @@ FoFiType1C::FoFiType1C(char *fileA, int lenA, GBool freeFileDataA):
privateDicts = NULL;
fdSelect = NULL;
charset = NULL;
+ charsetLength = 0;
}
FoFiType1C::~FoFiType1C() {
@@ -121,6 +123,8 @@ GooString *FoFiType1C::getGlyphName(int gid) {
GBool ok;
ok = gTrue;
+ if (gid < 0 || gid >= charsetLength)
+ return NULL;
getString(charset[gid], buf, &ok);
if (!ok) {
return NULL;
@@ -141,7 +145,7 @@ int *FoFiType1C::getCIDToGIDMap(int *nCIDs) {
// in a CID font, the charset data is the GID-to-CID mapping, so all
// we have to do is reverse it
n = 0;
- for (i = 0; i < nGlyphs; ++i) {
+ for (i = 0; i < nGlyphs && i < charsetLength; ++i) {
if (charset[i] > n) {
n = charset[i];
}
@@ -461,7 +465,7 @@ void FoFiType1C::convertToType1(char *psName, const char **newEncoding, GBool as
for (i = 0; i < nGlyphs; ++i) {
ok = gTrue;
getIndexVal(&charStringsIdx, i, &val, &ok);
- if (ok) {
+ if (ok && i < charsetLength) {
getString(charset[i], buf2, &ok);
if (ok) {
eexecCvtGlyph(&eb, buf2, val.pos, val.len, &subrIdx, &privateDicts[0]);
@@ -512,7 +516,7 @@ void FoFiType1C::convertToCIDType0(char *psName, int *codeMap, int nCodes,
}
} else if (topDict.firstOp == 0x0c1e) {
nCIDs = 0;
- for (i = 0; i < nGlyphs; ++i) {
+ for (i = 0; i < nGlyphs && i < charsetLength; ++i) {
if (charset[i] >= nCIDs) {
nCIDs = charset[i] + 1;
}
@@ -521,7 +525,7 @@ void FoFiType1C::convertToCIDType0(char *psName, int *codeMap, int nCodes,
for (i = 0; i < nCIDs; ++i) {
cidMap[i] = -1;
}
- for (i = 0; i < nGlyphs; ++i) {
+ for (i = 0; i < nGlyphs && i < charsetLength; ++i) {
cidMap[charset[i]] = i;
}
} else {
@@ -855,7 +859,7 @@ void FoFiType1C::convertToType0(char *psName, int *codeMap, int nCodes,
}
} else if (topDict.firstOp == 0x0c1e) {
nCIDs = 0;
- for (i = 0; i < nGlyphs; ++i) {
+ for (i = 0; i < nGlyphs && i < charsetLength; ++i) {
if (charset[i] >= nCIDs) {
nCIDs = charset[i] + 1;
}
@@ -864,7 +868,7 @@ void FoFiType1C::convertToType0(char *psName, int *codeMap, int nCodes,
for (i = 0; i < nCIDs; ++i) {
cidMap[i] = -1;
}
- for (i = 0; i < nGlyphs; ++i) {
+ for (i = 0; i < nGlyphs && i < charsetLength; ++i) {
cidMap[charset[i]] = i;
}
} else {
@@ -2415,7 +2419,7 @@ void FoFiType1C::buildEncoding() {
if (nCodes > nGlyphs) {
nCodes = nGlyphs;
}
- for (i = 1; i < nCodes; ++i) {
+ for (i = 1; i < nCodes && i < charsetLength; ++i) {
c = getU8(pos++, &parsedOk);
if (!parsedOk) {
return;
@@ -2437,7 +2441,7 @@ void FoFiType1C::buildEncoding() {
if (!parsedOk) {
return;
}
- for (j = 0; j <= nLeft && nCodes < nGlyphs; ++j) {
+ for (j = 0; j <= nLeft && nCodes < nGlyphs && nCodes < charsetLength; ++j) {
if (c < 256) {
if (encoding[c]) {
gfree(encoding[c]);
@@ -2480,12 +2484,16 @@ GBool FoFiType1C::readCharset() {
if (topDict.charsetOffset == 0) {
charset = fofiType1CISOAdobeCharset;
+ charsetLength = sizeof(fofiType1CISOAdobeCharset) / sizeof(Gushort);
} else if (topDict.charsetOffset == 1) {
charset = fofiType1CExpertCharset;
+ charsetLength = sizeof(fofiType1CExpertCharset) / sizeof(Gushort);
} else if (topDict.charsetOffset == 2) {
charset = fofiType1CExpertSubsetCharset;
+ charsetLength = sizeof(fofiType1CExpertSubsetCharset) / sizeof(Gushort);
} else {
charset = (Gushort *)gmallocn(nGlyphs, sizeof(Gushort));
+ charsetLength = nGlyphs;
for (i = 0; i < nGlyphs; ++i) {
charset[i] = 0;
}
@@ -2530,6 +2538,7 @@ GBool FoFiType1C::readCharset() {
if (!parsedOk) {
gfree(charset);
charset = NULL;
+ charsetLength = 0;
return gFalse;
}
}
diff --git a/fofi/FoFiType1C.h b/fofi/FoFiType1C.h
index b9e1933..698dccd 100644
--- a/fofi/FoFiType1C.h
+++ b/fofi/FoFiType1C.h
@@ -14,6 +14,7 @@
// under GPL version 2 or later
//
// Copyright (C) 2006 Takashi Iwai <tiwai at suse.de>
+// Copyright (C) 2012 Thomas Freitag <Thomas.Freitag at alfa.de>
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -250,6 +251,7 @@ private:
int nFDs;
Guchar *fdSelect;
Gushort *charset;
+ Gushort charsetLength;
int gsubrBias;
GBool parsedOk;
commit 26917d69c4da6a110db02b120133c36579fbb17c
Author: Albert Astals Cid <aacid at kde.org>
Date: Sun Sep 9 22:23:36 2012 +0200
Add unlikely
diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 661ec3d..4e663b4 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -1671,7 +1671,7 @@ void Gfx::opSetStrokeColorN(Object args[], int numArgs) {
state->setStrokeColor(&color);
out->updateStrokeColor(state);
}
- if (numArgs <= 0) {
+ if (unlikely(numArgs <= 0)) {
error(errSyntaxError, getPos(), "Incorrect number of arguments in 'SCN' command");
return;
}
commit e6a3c797c01aa343f640f2e6f45de5bf379aa8ad
Author: Thomas Freitag <Thomas.Freitag at alfa.de>
Date: Sun Sep 9 22:22:59 2012 +0200
Fix wrong memory access in 68.pdf.asan.7.1030
diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index ffe7486..661ec3d 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -1671,6 +1671,10 @@ void Gfx::opSetStrokeColorN(Object args[], int numArgs) {
state->setStrokeColor(&color);
out->updateStrokeColor(state);
}
+ if (numArgs <= 0) {
+ error(errSyntaxError, getPos(), "Incorrect number of arguments in 'SCN' command");
+ return;
+ }
if (args[numArgs-1].isName() &&
(pattern = res->lookupPattern(args[numArgs-1].getName(), this))) {
state->setStrokePattern(pattern);
commit 48fe18cf277cd2a4e665c74b3a594482f762f4b6
Author: Albert Astals Cid <aacid at kde.org>
Date: Sun Sep 9 22:09:44 2012 +0200
Fix memory leak
diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index d7684d6..ffe7486 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -4356,6 +4356,7 @@ void Gfx::doImage(Object *ref, Stream *str, GBool inlineImg) {
dict->lookup("D", &obj1);
}
if (bits == 0) {
+ delete colorSpace;
goto err2;
}
colorMap = new GfxImageColorMap(bits, &obj1, colorSpace);
commit b87aafc0cdb36c3555053f2684c45f1a9d7b2f94
Author: Albert Astals Cid <aacid at kde.org>
Date: Sun Sep 9 21:42:48 2012 +0200
Add unlikelys to the ifs
diff --git a/poppler/DCTStream.cc b/poppler/DCTStream.cc
index cc2d325..6302c8b 100644
--- a/poppler/DCTStream.cc
+++ b/poppler/DCTStream.cc
@@ -5,7 +5,7 @@
// This file is licensed under the GPLv2 or later
//
// Copyright 2005 Jeff Muizelaar <jeff at infidigm.net>
-// Copyright 2005-2010 Albert Astals Cid <aacid at kde.org>
+// Copyright 2005-2010, 2012 Albert Astals Cid <aacid at kde.org>
// Copyright 2009 Ryszard Trojnacki <rysiek at menel.com>
// Copyright 2010 Carlos Garcia Campos <carlosgc at gnome.org>
// Copyright 2011 Daiki Ueno <ueno at unixuser.org>
@@ -223,7 +223,7 @@ int DCTStream::getChars(int nChars, Guchar *buffer) {
}
int DCTStream::lookChar() {
- if (current == NULL) {
+ if (unlikely(current == NULL)) {
return EOF;
}
return *current;
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 587ef38..78a205d 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -720,7 +720,7 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, int wA, int hA):
JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
JBIG2Segment(segNumA)
{
- if (!bitmap) {
+ if (unlikely(bitmap == NULL)) {
error(errSyntaxError, -1, "NULL bitmap in JBIG2Bitmap");
w = h = line = 0;
data = NULL;
commit a019eef2f8ca53addd7ccab7f9c47657f4e52286
Author: Thomas Freitag <Thomas.Freitag at alfa.de>
Date: Sun Sep 9 21:41:09 2012 +0200
Fix crash in 1162.pdf.SIGSEGV.28e.182
diff --git a/poppler/DCTStream.cc b/poppler/DCTStream.cc
index 90a1377..cc2d325 100644
--- a/poppler/DCTStream.cc
+++ b/poppler/DCTStream.cc
@@ -10,6 +10,7 @@
// Copyright 2010 Carlos Garcia Campos <carlosgc at gnome.org>
// Copyright 2011 Daiki Ueno <ueno at unixuser.org>
// Copyright 2011 Tomas Hoger <thoger at redhat.com>
+// Copyright 2012 Thomas Freitag <Thomas.Freitag at alfa.de>
//
//========================================================================
@@ -222,6 +223,9 @@ int DCTStream::getChars(int nChars, Guchar *buffer) {
}
int DCTStream::lookChar() {
+ if (current == NULL) {
+ return EOF;
+ }
return *current;
}
commit ad7c6ac88f2315c9ce003308d1b4988592d4434b
Author: William Bader <williambader at hotmail.com>
Date: Sun Sep 9 21:31:58 2012 +0200
Fix crash in 1028.pdf.SIGSEGV.ae6.33
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index a8486a3..587ef38 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -18,6 +18,7 @@
// Copyright (C) 2006-2010, 2012 Albert Astals Cid <aacid at kde.org>
// Copyright (C) 2009 David Benjamin <davidben at mit.edu>
// Copyright (C) 2011 Edward Jiang <ejiang at google.com>
+// Copyright (C) 2012 William Bader <williambader at hotmail.com>
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -719,6 +720,13 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, int wA, int hA):
JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
JBIG2Segment(segNumA)
{
+ if (!bitmap) {
+ error(errSyntaxError, -1, "NULL bitmap in JBIG2Bitmap");
+ w = h = line = 0;
+ data = NULL;
+ return;
+ }
+
w = bitmap->w;
h = bitmap->h;
line = bitmap->line;
commit b861af714daee4125e54b250dddf82106f5a8ce8
Author: Albert Astals Cid <aacid at kde.org>
Date: Sun Sep 9 21:15:06 2012 +0200
Fix memory leak
diff --git a/poppler/Form.cc b/poppler/Form.cc
index 99d7bbb..7d32ae0 100644
--- a/poppler/Form.cc
+++ b/poppler/Form.cc
@@ -521,8 +521,8 @@ FormField::FormField(PDFDoc *docA, Object *aobj, const Ref& aref, FormField *par
obj1.free();
if (dict->lookup("Subtype", &obj1)->isName("Widget"))
_createWidget(&obj, ref);
- obj1.free();
}
+ obj1.free();
//flags
if (Form::fieldLookup(dict, "Ff", &obj1)->isInt()) {
More information about the poppler
mailing list