[poppler] 4 commits - poppler/Form.cc poppler/JBIG2Stream.cc poppler/PSOutputDev.cc splash/Splash.cc

Sun Sep 4 13:32:39 UTC 2016

poppler/Form.cc        |    4 ++++
 poppler/JBIG2Stream.cc |    2 ++
 poppler/PSOutputDev.cc |    4 ++++
 splash/Splash.cc       |    4 +---
 4 files changed, 11 insertions(+), 3 deletions(-)

New commits:
commit 4552af28684e18c6153ce5598b121a73477af4d6
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sun Sep 4 15:24:14 2016 +0200

    Do not crash on invalid files where nStripes is 0
    
    Bug #85276

diff --git a/poppler/PSOutputDev.cc b/poppler/PSOutputDev.cc
index 204f16e..183e929 100644
--- a/poppler/PSOutputDev.cc
+++ b/poppler/PSOutputDev.cc
@@ -3346,6 +3346,10 @@ GBool PSOutputDev::checkPageSlice(Page *page, double /*hDPI*/, double /*vDPI*/,
   }
   nStripes = (int)ceil((double)(sliceW * sliceH) /
 		       (double)rasterizationSliceSize);
+  if (unlikely(nStripes == 0)) {
+      delete splashOut;
+      return gFalse;
+  }
   stripeH = (sliceH + nStripes - 1) / nStripes;
 
   // render the stripes
commit 364c15795a0508d421ca636bc7b71f93039a82b1
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sun Sep 4 15:23:25 2016 +0200

    Always delete aaBuf if it is there
    
    Doesn't matter if antialias is temporarily disabled

diff --git a/splash/Splash.cc b/splash/Splash.cc
index 4d33cf7..e179c1c 100644
--- a/splash/Splash.cc
+++ b/splash/Splash.cc
@@ -1642,9 +1642,7 @@ Splash::~Splash() {
     restoreState();
   }
   delete state;
-  if (vectorAntialias) {
-    delete aaBuf;
-  }
+  delete aaBuf;
 }
 
 //------------------------------------------------------------------------
commit 22c4701d5f7be0010ee4519daa546fba5ab7ac13
Author: Albert Astals Cid <aacid at kde.org>
Date:   Fri Aug 26 15:18:22 2016 +0200

    Fix crash in files with broken JBIG2Streams

diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 9f12d5d..a1d2f97 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -892,6 +892,8 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y,
   oneByte = x0 == ((x1 - 1) & ~7);
 
   for (yy = y0; yy < y1; ++yy) {
+    if (unlikely(y + yy) >= h)
+      continue;
 
     // one byte per line -- need to mask both left and right side
     if (oneByte) {
commit c46b8b99b3a2d51692d889df22136cb737d3a47f
Author: Albert Astals Cid <aacid at kde.org>
Date:   Fri Aug 26 14:53:19 2016 +0200

    Fix memory leak when parsing broken Forms

diff --git a/poppler/Form.cc b/poppler/Form.cc
index d5f4dd1..8e3b265 100644
--- a/poppler/Form.cc
+++ b/poppler/Form.cc
@@ -518,6 +518,8 @@ FormField::FormField(PDFDoc *docA, Object *aobj, const Ref& aref, FormField *par
 
           if (terminal) {
             error(errSyntaxWarning, -1, "Field can't have both Widget AND Field as kids\n");
+            childObj.free();
+            childRef.free();
             continue;
           }
 
@@ -530,6 +532,8 @@ FormField::FormField(PDFDoc *docA, Object *aobj, const Ref& aref, FormField *par
             error(errSyntaxWarning, -1, "Field can't have both Widget AND Field as kids\n");
             obj2.free();
             obj3.free();
+            childObj.free();
+            childRef.free();
             continue;
           }
           _createWidget(&childObj, ref);
