[poppler] 6 commits - m4/libjpeg.m4 poppler/Function.cc poppler/Stream.cc splash/Splash.cc

Albert Astals Cid aacid at kemper.freedesktop.org
Thu Jan 10 15:36:47 PST 2013 

 m4/libjpeg.m4       |    2 +-
 poppler/Function.cc |    6 +++++-
 poppler/Stream.cc   |   10 ++++++++--
 splash/Splash.cc    |   26 ++++++++++++++++++++++----
 4 files changed, 36 insertions(+), 8 deletions(-)

New commits:
commit 4b69217f72f3fd313f73df059eb1e6294878a95e
Author: Peter Dyballa <Peter_Dyballa at Freenet.DE>
Date:   Fri Jan 11 00:32:46 2013 +0100

    Use CPPFLAGS for CPPFLAGS not CFLAGS
    
    Bug #59186

diff --git a/m4/libjpeg.m4 b/m4/libjpeg.m4
index d384343..1a5057a 100644
--- a/m4/libjpeg.m4
+++ b/m4/libjpeg.m4
@@ -70,7 +70,7 @@ dnl then search the headers (can't use simply AC_TRY_xxx, as jpeglib.h
 dnl requires system dependent includes loaded before it)
 ac_save_CPPFLAGS="$CPPFLAGS"
 ac_save_CFLAGS="$CFLAGS"
-CPPFLAGS="$CFLAGS $all_includes $USER_INCLUDES"
+CPPFLAGS="$CPPFLAGS $all_includes $USER_INCLUDES"
 CFLAGS="$CFLAGS $all_includes $USER_INCLUDES"
 AC_CHECK_HEADER([jpeglib.h], [jpeg_incdir=yes], [jpeg_incdir=NO])
 CPPFLAGS="$ac_save_CPPFLAGS"
commit 8b6dc55e530b2f5ede6b9dfb64aafdd1d5836492
Author: Albert Astals Cid <aacid at kde.org>
Date:   Thu Jan 10 22:31:52 2013 +0100

    Fix invalid memory access in 1150.pdf.asan.8.69

diff --git a/splash/Splash.cc b/splash/Splash.cc
index af609b4..d0d986e 100644
--- a/splash/Splash.cc
+++ b/splash/Splash.cc
@@ -2252,11 +2252,14 @@ SplashPath *Splash::makeDashedPath(SplashPath *path) {
   lineDashStartOn = gTrue;
   lineDashStartIdx = 0;
   if (lineDashStartPhase > 0) {
-    while (lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
+    while (lineDashStartIdx < state->lineDashLength && lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
       lineDashStartOn = !lineDashStartOn;
       lineDashStartPhase -= state->lineDash[lineDashStartIdx];
       ++lineDashStartIdx;
     }
+    if (unlikely(lineDashStartIdx == state->lineDashLength)) {
+      return new SplashPath();
+    }
   }
 
   dPath = new SplashPath();
commit e14b6e9c13d35c9bd1e0c50906ace8e707816888
Author: Albert Astals Cid <aacid at kde.org>
Date:   Thu Jan 10 20:52:02 2013 +0100

    Fix invalid memory access in 2030.pdf.asan.69.463

diff --git a/poppler/Function.cc b/poppler/Function.cc
index 1dece2d..2f94a54 100644
--- a/poppler/Function.cc
+++ b/poppler/Function.cc
@@ -13,7 +13,7 @@
 // All changes made under the Poppler project to this file are licensed
 // under GPL version 2 or later
 //
-// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2006, 2008-2010, 2013 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2006 Jeff Muizelaar <jeff at infidigm.net>
 // Copyright (C) 2010 Christian Feuersänger <cfeuersaenger at googlemail.com>
 // Copyright (C) 2011 Andrea Canciani <ranma42 at gmail.com>
@@ -1111,6 +1111,10 @@ void PSStack::copy(int n) {
     error(errSyntaxError, -1, "Stack underflow in PostScript function");
     return;
   }
+  if (unlikely(sp - n > psStackSize)) {
+    error(errSyntaxError, -1, "Stack underflow in PostScript function");
+    return;
+  }
   if (!checkOverflow(n)) {
     return;
   }
commit 0388837f01bc467045164f9ddaff787000a8caaa
Author: Albert Astals Cid <aacid at kde.org>
Date:   Thu Jan 10 20:29:06 2013 +0100

    Fix another invalid memory access in 1091.pdf.asan.72.42

diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index d118ddd..4cb3326 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -2387,7 +2387,8 @@ GBool CCITTFaxStream::isBinary(GBool last) {
 
 // clip [-256,511] --> [0,255]
 #define dctClipOffset 256
-static Guchar dctClip[768];
+#define dctClipLength 768
+static Guchar dctClip[dctClipLength];
 static int dctClipInit = 0;
 
 // zig zag decode map
@@ -3343,7 +3344,12 @@ void DCTStream::transformDataUnit(Gushort *quantTable,
 
   // convert to 8-bit integers
   for (i = 0; i < 64; ++i) {
-    dataOut[i] = dctClip[dctClipOffset + 128 + ((dataIn[i] + 8) >> 4)];
+    const int ix = dctClipOffset + 128 + ((dataIn[i] + 8) >> 4);
+    if (unlikely(ix < 0 || ix >= dctClipLength)) {
+      dataOut[i] = 0;
+    } else {
+      dataOut[i] = dctClip[ix];
+    }
   }
 }
 
commit 957aa252912cde85d76c41e9710b33425a82b696
Author: Albert Astals Cid <aacid at kde.org>
Date:   Thu Jan 10 19:16:19 2013 +0100

    Fix invalid memory accesses in 1091.pdf.asan.72.42

diff --git a/splash/Splash.cc b/splash/Splash.cc
index 1f838af..af609b4 100644
--- a/splash/Splash.cc
+++ b/splash/Splash.cc
@@ -3233,6 +3233,12 @@ void Splash::scaleMaskYdXu(SplashImageMaskSource src, void *srcData,
   Guchar *destPtr;
   int yp, yq, xp, xq, yt, y, yStep, xt, x, xStep, d;
   int i, j;
+  
+  destPtr = dest->data;
+  if (destPtr == NULL) {
+    error(errInternal, -1, "dest->data is NULL in Splash::scaleMaskYdXu");
+    return;
+  }
 
   // Bresenham parameters for y scale
   yp = srcHeight / scaledHeight;
@@ -3249,7 +3255,6 @@ void Splash::scaleMaskYdXu(SplashImageMaskSource src, void *srcData,
   // init y scale Bresenham
   yt = 0;
 
-  destPtr = dest->data;
   for (y = 0; y < scaledHeight; ++y) {
 
     // y scale Bresenham
commit bbc2d8918fe234b7ef2c480eb148943922cc0959
Author: Albert Astals Cid <aacid at kde.org>
Date:   Thu Jan 10 19:07:48 2013 +0100

    Fix invalid memory accesses in 1036.pdf.asan.23.17

diff --git a/splash/Splash.cc b/splash/Splash.cc
index 24d934a..1f838af 100644
--- a/splash/Splash.cc
+++ b/splash/Splash.cc
@@ -14,7 +14,7 @@
 // Copyright (C) 2005-2013 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2005 Marco Pesenti Gritti <mpg at redhat.com>
 // Copyright (C) 2010-2012 Thomas Freitag <Thomas.Freitag at alfa.de>
-// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger at googlemail.com>
+// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger at googlemail.com>
 // Copyright (C) 2011, 2012 William Bader <williambader at hotmail.com>
 // Copyright (C) 2012 Markus Trippelsdorf <markus at trippelsdorf.de>
 // Copyright (C) 2012 Adrian Johnson <ajohnson at redneon.com>
@@ -3308,6 +3308,12 @@ void Splash::scaleMaskYuXd(SplashImageMaskSource src, void *srcData,
   Guchar *destPtr0, *destPtr;
   int yp, yq, xp, xq, yt, y, yStep, xt, x, xStep, xx, d, d0, d1;
   int i;
+  
+  destPtr0 = dest->data;
+  if (destPtr0 == NULL) {
+    error(errInternal, -1, "dest->data is NULL in Splash::scaleMaskYuXd");
+    return;
+  }
 
   // Bresenham parameters for y scale
   yp = scaledHeight / srcHeight;
@@ -3323,7 +3329,6 @@ void Splash::scaleMaskYuXd(SplashImageMaskSource src, void *srcData,
   // init y scale Bresenham
   yt = 0;
 
-  destPtr0 = dest->data;
   for (y = 0; y < srcHeight; ++y) {
 
     // y scale Bresenham
@@ -4862,6 +4867,11 @@ void Splash::vertFlipImage(SplashBitmap *img, int width, int height,
   Guchar *lineBuf;
   Guchar *p0, *p1;
   int w;
+  
+  if (unlikely(img->data == NULL)) {
+    error(errInternal, -1, "img->data is NULL in Splash::vertFlipImage");
+    return;
+  }
 
   w = width * nComps;
   lineBuf = (Guchar *)gmalloc(w);

More information about the poppler mailing list