[poppler] 4 commits - poppler/Link.cc splash/Splash.cc splash/SplashFTFont.cc
Albert Astals Cid
aacid at kemper.freedesktop.org
Fri Mar 28 10:04:36 PDT 2014
poppler/Link.cc | 10 ++++++----
splash/Splash.cc | 3 +++
splash/SplashFTFont.cc | 6 +++---
3 files changed, 12 insertions(+), 7 deletions(-)
New commits:
commit 82d69da7c2f67e774c51fb7b146fdf639a6b9616
Author: Albert Astals Cid <aacid at kde.org>
Date: Fri Mar 28 15:53:22 2014 +0100
Fix error reported by ASAN in 3628.asan.0.3910.pdf
==20743== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040005c6ef at pc 0x7f8912ca0c90 bp 0x7fff8509ee20 sp 0x7fff8509ee18
READ of size 1 at 0x60040005c6ef thread T0
#0 0x7f8912ca0c8f in expandRow(unsigned char*, unsigned char*, int, int, int) /home/tsdgeos/devel/poppler/splash/Splash.cc:4855
#1 0x7f8912ca1097 in Splash::scaleImageYuXuBilinear(bool (*)(void*, unsigned char*, unsigned char*), void*, SplashColorMode, int, bool, int, int, int, int, SplashBitmap*) /home/tsdgeos/devel/poppler/splash/Splash.cc:4897
#2 0x7f8912c9d2b7 in Splash::scaleImage(bool (*)(void*, unsigned char*, unsigned char*), void*, SplashColorMode, int, bool, int, int, int, int, bool, bool) /home/tsdgeos/devel/poppler/splash/Splash.cc:4127
#3 0x7f8912c98101 in Splash::drawImage(bool (*)(void*, unsigned char*, unsigned char*), void*, SplashColorMode, bool, int, int, double*, bool, bool) /home/tsdgeos/devel/poppler/splash/Splash.cc:3726
#4 0x7f8912c7056a in SplashOutputDev::drawSoftMaskedImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, Stream*, int, int, GfxImageColorMap*, bool) /home/tsdgeos/devel/poppler/poppler/SplashOutputDev.cc:3630
#5 0x7f8912ac7aa7 in Gfx::doImage(Object*, Stream*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:4646
#6 0x7f8912ac4de0 in Gfx::opXObject(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:4179
#7 0x7f8912a9f33a in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:903
#8 0x7f8912a9e50f in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:762
#9 0x7f8912a9e163 in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:728
#10 0x7f8912b80e13 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:585
#11 0x7f8912b8833f in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:503
#12 0x40311e in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/tsdgeos/devel/poppler/utils/pdftoppm.cc:222
#13 0x404416 in main /home/tsdgeos/devel/poppler/utils/pdftoppm.cc:521
#14 0x7f89121a8ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#15 0x401d58 in _start (/home/tsdgeos/devel/poppler/build-debug/utils/pdftoppm+0x401d58)
diff --git a/splash/Splash.cc b/splash/Splash.cc
index d9983b0..b303cf2 100644
--- a/splash/Splash.cc
+++ b/splash/Splash.cc
@@ -4875,6 +4875,9 @@ void Splash::scaleImageYuXuBilinear(SplashImageSource src, void *srcData,
Guchar *destPtr0, *destPtr, *destAlphaPtr0, *destAlphaPtr;
int i;
+ if (srcWidth < 1 || srcHeight < 1)
+ return;
+
// allocate buffers
srcBuf = (Guchar *)gmallocn(srcWidth+1, nComps); // + 1 pixel of padding
lineBuf1 = (Guchar *)gmallocn(scaledWidth, nComps);
commit 38ec8cbeeaf69d96b9d7bcd662187c8916cf7903
Author: Albert Astals Cid <aacid at kde.org>
Date: Fri Mar 28 11:18:02 2014 +0100
Fix error reported by ASAN in 5782.asan.0.7113.pdf
==32161== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6008000e3bcf at pc 0x7f66bae0e117 bp 0x7fffcb54ea70 sp 0x7fffcb54ea68
READ of size 1 at 0x6008000e3bcf thread T0
#0 0x7f66bae0e116 in GooString::getChar(int) /home/tsdgeos/devel/poppler/goo/GooString.h:119
#1 0x7f66bafb5dca in LinkURI::LinkURI(Object*, GooString*) /home/tsdgeos/devel/poppler/poppler/Link.cc:562
#2 0x7f66bafb2a05 in LinkAction::parseAction(Object*, GooString*) /home/tsdgeos/devel/poppler/poppler/Link.cc:98
#3 0x7f66bae69c0e in AnnotLink::initialize(PDFDoc*, Dict*) /home/tsdgeos/devel/poppler/poppler/Annot.cc:2621
#4 0x7f66bae698d9 in AnnotLink::AnnotLink(PDFDoc*, Dict*, Object*) /home/tsdgeos/devel/poppler/poppler/Annot.cc:2596
#5 0x7f66bae8d998 in Annots::createAnnot(Dict*, Object*) /home/tsdgeos/devel/poppler/poppler/Annot.cc:6737
#6 0x7f66bae8d269 in Annots::Annots(PDFDoc*, int, Object*) /home/tsdgeos/devel/poppler/poppler/Annot.cc:6683
#7 0x7f66bafc750d in Page::getAnnots(XRef*) /home/tsdgeos/devel/poppler/poppler/Page.cc:402
#8 0x7f66bafc8e66 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:595
#9 0x7f66bafd02fd in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:503
#10 0x40311e in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/tsdgeos/devel/poppler/utils/pdftoppm.cc:222
#11 0x404416 in main /home/tsdgeos/devel/poppler/utils/pdftoppm.cc:521
#12 0x7f66ba5f0ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#13 0x401d58 in _start (/home/tsdgeos/devel/poppler/build-debug/utils/pdftoppm+0x401d58)
diff --git a/poppler/Link.cc b/poppler/Link.cc
index 20184d1..4ab5f52 100644
--- a/poppler/Link.cc
+++ b/poppler/Link.cc
@@ -16,7 +16,7 @@
// Copyright (C) 2006, 2008 Pino Toscano <pino at kde.org>
// Copyright (C) 2007, 2010, 2011 Carlos Garcia Campos <carlosgc at gnome.org>
// Copyright (C) 2008 Hugo Mercier <hmercier31 at gmail.com>
-// Copyright (C) 2008-2010, 2012, 2013 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2008-2010, 2012-2014 Albert Astals Cid <aacid at kde.org>
// Copyright (C) 2009 Kovid Goyal <kovid at kovidgoyal.net>
// Copyright (C) 2009 Ilya Gorenbein <igorenbein at finjan.com>
// Copyright (C) 2012 Tobias Koening <tobias.koenig at kdab.com>
@@ -559,9 +559,11 @@ LinkURI::LinkURI(Object *uriObj, GooString *baseURI) {
// relative URI
if (baseURI) {
uri = baseURI->copy();
- c = uri->getChar(uri->getLength() - 1);
- if (c != '/' && c != '?') {
- uri->append('/');
+ if (uri->getLength() > 0) {
+ c = uri->getChar(uri->getLength() - 1);
+ if (c != '/' && c != '?') {
+ uri->append('/');
+ }
}
if (uri2->getChar(0) == '/') {
uri->append(uri2->getCString() + 1, uri2->getLength() - 1);
commit 49b4eb68ee646aefe49b70f9e2831ebf93576053
Author: Albert Astals Cid <aacid at kde.org>
Date: Fri Mar 28 11:08:18 2014 +0100
Fix error reported by ASAN in 590.asan.0.7288.pdf
==31898== ERROR: AddressSanitizer: heap-use-after-free on address 0x60ae0007432c at pc 0x7f03483026aa bp 0x7fff6ec0c820 sp 0x7fff6ec0c818
READ of size 4 at 0x60ae0007432c thread T0
#0 0x7f03483026a9 in SplashFTFont::getGlyphPath(int) /home/tsdgeos/devel/poppler/splash/SplashFTFont.cc:414
#1 0x7f034829f681 in SplashOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) /home/tsdgeos/devel/poppler/poppler/SplashOutputDev.cc:2239
#2 0x7f0348100599 in Gfx::doShowText(GooString*) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:4054
#3 0x7f03480fddb0 in Gfx::opShowSpaceText(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:3886
#4 0x7f03480dc33a in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:903
#5 0x7f03480db50f in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:762
#6 0x7f03480db163 in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:728
#7 0x7f03481bddd1 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:585
#8 0x7f03481c52fd in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:503
#9 0x40311e in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/tsdgeos/devel/poppler/utils/pdftoppm.cc:222
#10 0x404416 in main /home/tsdgeos/devel/poppler/utils/pdftoppm.cc:521
#11 0x7f03477e5ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#12 0x401d58 in _start (/home/tsdgeos/devel/poppler/build-debug/utils/pdftoppm+0x401d58)
diff --git a/splash/SplashFTFont.cc b/splash/SplashFTFont.cc
index aca8867..b785826 100644
--- a/splash/SplashFTFont.cc
+++ b/splash/SplashFTFont.cc
@@ -410,7 +410,7 @@ SplashPath *SplashFTFont::getGlyphPath(int c) {
ff->face->size = sizeObj;
FT_Set_Transform(ff->face, &textMatrix, NULL);
slot = ff->face->glyph;
- if (ff->codeToGID && c < ff->codeToGIDLen) {
+ if (ff->codeToGID && c < ff->codeToGIDLen && c >= 0) {
gid = ff->codeToGID[c];
} else {
gid = (FT_UInt)c;
commit 89a64b508e5f8445798c95fcec6c87180f6c9b73
Author: Albert Astals Cid <aacid at kde.org>
Date: Fri Mar 28 00:35:17 2014 +0100
Fix error reported by ASAN in 2279.asan.0.1904.pdf
==20507== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60420000ff04 at pc 0x7fa1492e8012 bp 0x7fff8406d900 sp 0x7fff8406d8f8
READ of size 4 at 0x60420000ff04 thread T0
#0 0x7fa1492e8011 in SplashFTFont::makeGlyph(int, int, int, SplashGlyphBitmap*, int, int, SplashClip*, SplashClipResult*) /home/tsdgeos/devel/poppler/splash/SplashFTFont.cc:284
#1 0x7fa1492eda32 in SplashFont::getGlyph(int, int, int, SplashGlyphBitmap*, int, int, SplashClip*, SplashClipResult*) /home/tsdgeos/devel/poppler/splash/SplashFont.cc:168
#2 0x7fa1492e7c69 in SplashFTFont::getGlyph(int, int, int, SplashGlyphBitmap*, int, int, SplashClip*, SplashClipResult*) /home/tsdgeos/devel/poppler/splash/SplashFTFont.cc:233
#3 0x7fa1492b3368 in Splash::fillChar(double, double, int, SplashFont*) /home/tsdgeos/devel/poppler/splash/Splash.cc:2714
#4 0x7fa149286a20 in SplashOutputDev::drawChar(GfxState*, double, double, double, double, double, double, unsigned int, int, unsigned int*, int) /home/tsdgeos/devel/poppler/poppler/SplashOutputDev.cc:2270
#5 0x7fa1490e7599 in Gfx::doShowText(GooString*) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:4054
#6 0x7fa1490e4db0 in Gfx::opShowSpaceText(Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:3886
#7 0x7fa1490c333a in Gfx::execOp(Object*, Object*, int) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:903
#8 0x7fa1490c250f in Gfx::go(bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:762
#9 0x7fa1490c2163 in Gfx::display(Object*, bool) /home/tsdgeos/devel/poppler/poppler/Gfx.cc:728
#10 0x7fa1491a4dd1 in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/Page.cc:585
#11 0x7fa1491ac2fd in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /home/tsdgeos/devel/poppler/poppler/PDFDoc.cc:503
#12 0x40311e in savePageSlice(PDFDoc*, SplashOutputDev*, int, int, int, int, int, double, double, char*) /home/tsdgeos/devel/poppler/utils/pdftoppm.cc:222
#13 0x404416 in main /home/tsdgeos/devel/poppler/utils/pdftoppm.cc:521
#14 0x7fa1487ccec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#15 0x401d58 in _start (/home/tsdgeos/devel/poppler/build-debug/utils/pdftoppm+0x401d58)
diff --git a/splash/SplashFTFont.cc b/splash/SplashFTFont.cc
index 2a23625..aca8867 100644
--- a/splash/SplashFTFont.cc
+++ b/splash/SplashFTFont.cc
@@ -11,7 +11,7 @@
// All changes made under the Poppler project to this file are licensed
// under GPL version 2 or later
//
-// Copyright (C) 2005, 2007-2011 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2005, 2007-2011, 2014 Albert Astals Cid <aacid at kde.org>
// Copyright (C) 2006 Kristian Høgsberg <krh at bitplanet.net>
// Copyright (C) 2009 Petr Gajdos <pgajdos at novell.com>
// Copyright (C) 2010 Suzuki Toshiya <mpsuzuki at hiroshima-u.ac.jp>
@@ -280,7 +280,7 @@ GBool SplashFTFont::makeGlyph(int c, int xFrac, int yFrac,
FT_Set_Transform(ff->face, &matrix, &offset);
slot = ff->face->glyph;
- if (ff->codeToGID && c < ff->codeToGIDLen) {
+ if (ff->codeToGID && c < ff->codeToGIDLen && c >= 0) {
gid = (FT_UInt)ff->codeToGID[c];
} else {
gid = (FT_UInt)c;
More information about the poppler
mailing list