[poppler] 3 commits - CMakeLists.txt fofi/FoFiTrueType.cc poppler/SplashOutputDev.cc splash/SplashBitmap.cc splash/Splash.cc

Albert Astals Cid aacid at kemper.freedesktop.org
Sat Feb 7 13:23:15 PST 2015 

 CMakeLists.txt             |    5 +++++
 fofi/FoFiTrueType.cc       |   15 +++++++++++++--
 poppler/SplashOutputDev.cc |    4 ++--
 splash/Splash.cc           |   10 +++++++++-
 splash/SplashBitmap.cc     |    4 ++--
 5 files changed, 31 insertions(+), 7 deletions(-)

New commits:
commit cdb7ad95f7c8fbf63ade040d8a07ec96467042fc
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sat Feb 7 22:21:16 2015 +0100

    Fix malformed file crash in bug #85243

diff --git a/fofi/FoFiTrueType.cc b/fofi/FoFiTrueType.cc
index 2d65536..6ab8f9b 100644
--- a/fofi/FoFiTrueType.cc
+++ b/fofi/FoFiTrueType.cc
@@ -16,7 +16,7 @@
 // Copyright (C) 2006 Takashi Iwai <tiwai at suse.de>
 // Copyright (C) 2007 Koji Otani <sho at bbr.jp>
 // Copyright (C) 2007 Carlos Garcia Campos <carlosgc at gnome.org>
-// Copyright (C) 2008, 2009, 2012, 2014 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2008, 2009, 2012, 2014, 2015 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2008 Tomas Are Haavet <tomasare at gmail.com>
 // Copyright (C) 2012 Suzuki Toshiya <mpsuzuki at hiroshima-u.ac.jp>
 // Copyright (C) 2012 Adrian Johnson <ajohnson at redneon.com>
@@ -39,6 +39,7 @@
 #include <algorithm>
 #include "goo/gtypes.h"
 #include "goo/gmem.h"
+#include "goo/GooLikely.h"
 #include "goo/GooString.h"
 #include "goo/GooHash.h"
 #include "FoFiType1C.h"
@@ -937,7 +938,7 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFunc outputFunc,
   GBool ok;
   Guint checksum;
   int nNewTables;
-  int glyfTableLen, length, pos, glyfPos, i, j, k;
+  int glyfTableLen, length, pos, glyfPos, i, j, k, vmtxTabLength;
   Guchar vheaTab[36] = {
     0, 1, 0, 0,			// table version number
     0, 0,			// ascent
@@ -1048,6 +1049,7 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFunc outputFunc,
     }
   }
   vmtxTab = NULL; // make gcc happy
+  vmtxTabLength = 0;
   advance = 0; // make gcc happy
   if (needVerticalMetrics) {
     needVhea = seekTable("vhea") < 0;
@@ -1105,6 +1107,7 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFunc outputFunc,
 	checksum = computeTableChecksum(vheaTab, length);
       } else if (needVerticalMetrics && i == t42VmtxTable) {
 	length = 4 + (nGlyphs - 1) * 2;
+	vmtxTabLength = length;
 	vmtxTab = (Guchar *)gmalloc(length);
 	vmtxTab[0] = advance / 256;
 	vmtxTab[1] = advance % 256;
@@ -1219,8 +1222,16 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFunc outputFunc,
 	  dumpString(file + tables[j].offset, tables[j].len,
 		     outputFunc, outputStream);
 	} else if (needVerticalMetrics && i == t42VheaTable) {
+	  if (unlikely(length >= (int)sizeof(vheaTab))) {
+	    error(errSyntaxWarning, -1, "length bigger than vheaTab size");
+	    length = sizeof(vheaTab) - 1;
+	  }
 	  dumpString(vheaTab, length, outputFunc, outputStream);
 	} else if (needVerticalMetrics && i == t42VmtxTable) {
+	  if (unlikely(length >= vmtxTabLength)) {
+	    error(errSyntaxWarning, -1, "length bigger than vmtxTab size");
+	    length = vmtxTabLength - 1;
+	  }
 	  dumpString(vmtxTab, length, outputFunc, outputStream);
 	}
       }
commit 6641b935e1fc0c4151a723b6b476d987b8324ed2
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sat Feb 7 21:58:23 2015 +0100

    If ECM is around include the sanitizers module
    
    This way you can run
      cmake -DECM_ENABLE_SANITIZERS='address'
    and get an ASAN built poppler

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 7d34c69..2c67b0b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -16,6 +16,11 @@ test_big_endian(WORDS_BIGENDIAN)
 include(CheckFileOffsetBits)
 CHECK_FILE_OFFSET_BITS()
 
+find_package (ECM 1.6.0 QUIET NO_MODULE)
+if (ECM_FOUND)
+    include("${ECM_MODULE_DIR}/ECMEnableSanitizers.cmake")
+endif()
+
 set(POPPLER_MAJOR_VERSION "0")
 set(POPPLER_MINOR_VERSION "31")
 set(POPPLER_MICRO_VERSION "0")
commit 92e41685dcef538a7fc669ca357ce9f448a8078e
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sat Feb 7 21:54:39 2015 +0100

    Fix crash in malformed file from bug #85275

diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc
index 97af5c4..6640ab5 100644
--- a/poppler/SplashOutputDev.cc
+++ b/poppler/SplashOutputDev.cc
@@ -4048,8 +4048,8 @@ void SplashOutputDev::setSoftMask(GfxState *state, double *bbox,
   p = softMask->getDataPtr() + ty * softMask->getRowSize() + tx;
   int xMax = tBitmap->getWidth();
   int yMax = tBitmap->getHeight();
-  if (xMax + tx > bitmap->getWidth()) xMax = bitmap->getWidth() - tx;
-  if (yMax + ty > bitmap->getHeight()) yMax = bitmap->getHeight() - ty;
+  if (xMax > bitmap->getWidth() - tx) xMax = bitmap->getWidth() - tx;
+  if (yMax > bitmap->getHeight() - ty) yMax = bitmap->getHeight() - ty;
   for (y = 0; y < yMax; ++y) {
     for (x = 0; x < xMax; ++x) {
       if (alpha) {
diff --git a/splash/Splash.cc b/splash/Splash.cc
index fde272a..142516f 100644
--- a/splash/Splash.cc
+++ b/splash/Splash.cc
@@ -11,7 +11,7 @@
 // All changes made under the Poppler project to this file are licensed
 // under GPL version 2 or later
 //
-// Copyright (C) 2005-2014 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2005-2015 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2005 Marco Pesenti Gritti <mpg at redhat.com>
 // Copyright (C) 2010-2014 Thomas Freitag <Thomas.Freitag at alfa.de>
 // Copyright (C) 2010 Christian Feuersänger <cfeuersaenger at googlemail.com>
@@ -5214,6 +5214,10 @@ SplashError Splash::composite(SplashBitmap *src, int xSrc, int ySrc,
     return splashErrModeMismatch;
   }
 
+  if (unlikely(!bitmap->data)) {
+    return splashErrZeroImage;
+  }
+
   if(src->getSeparationList()->getLength() > bitmap->getSeparationList()->getLength()) {
     for (x = bitmap->getSeparationList()->getLength(); x < src->getSeparationList()->getLength(); x++)
       bitmap->getSeparationList()->append(((GfxSeparationColorSpace *)src->getSeparationList()->get(x))->copy());
@@ -5783,6 +5787,10 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc,
     return splashErrModeMismatch;
   }
 
+  if (unlikely(!bitmap->data)) {
+    return splashErrZeroImage;
+  }
+
   switch (bitmap->mode) {
   case splashModeMono1:
     for (y = 0; y < h; ++y) {
diff --git a/splash/SplashBitmap.cc b/splash/SplashBitmap.cc
index ac344f1..e886683 100644
--- a/splash/SplashBitmap.cc
+++ b/splash/SplashBitmap.cc
@@ -11,7 +11,7 @@
 // All changes made under the Poppler project to this file are licensed
 // under GPL version 2 or later
 //
-// Copyright (C) 2006, 2009, 2010, 2012 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2006, 2009, 2010, 2012, 2015 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2007 Ilmari Heikkinen <ilmari.heikkinen at gmail.com>
 // Copyright (C) 2009 Shen Liang <shenzhuxi at gmail.com>
 // Copyright (C) 2009 Stefan Thomas <thomas at eload24.com>
@@ -275,7 +275,7 @@ SplashError SplashBitmap::writeAlphaPGMFile(char *fileName) {
 void SplashBitmap::getPixel(int x, int y, SplashColorPtr pixel) {
   SplashColorPtr p;
 
-  if (y < 0 || y >= height || x < 0 || x >= width) {
+  if (y < 0 || y >= height || x < 0 || x >= width || !data) {
     return;
   }
   switch (mode) {

More information about the poppler mailing list