[poppler] 16 commits - goo/GooHash.cc poppler/Annot.cc poppler/Form.cc poppler/Function.cc poppler/GfxFont.cc poppler/GfxState.cc poppler/JBIG2Stream.cc poppler/Parser.cc poppler/SplashOutputDev.cc poppler/Stream.cc utils/HtmlFonts.cc utils/HtmlFonts.h

Albert Astals Cid aacid at kemper.freedesktop.org
Wed Jun 21 20:31:29 UTC 2017


Rebased ref, commits from common ancestor:
commit 3a2759aa2a98c2157cb35731b95e393b8882f8d3
Author: Jose Aliste <jaliste at src.gnome.org>
Date:   Tue May 16 18:44:49 2017 -0400

    Check numComps is between reasonable bounds
    
    Before this patch, some PDF might crash because of an overflow
    if numComps does not lie between 0 and 4.
    This is a security fix for CVE-2017-0319.

diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index d93c560e..e3d5cf6a 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -32,6 +32,7 @@
 // Copyright (C) 2013 Pino Toscano <pino at kde.org>
 // Copyright (C) 2015 Suzuki Toshiya <mpsuzuki at hiroshima-u.ac.jp>
 // Copyright (C) 2015 Jason Crain <jason at aquaticape.us>
+// Copyright (C) 2017 Jose Aliste <jaliste at src.gnome.org>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -3585,6 +3586,12 @@ GBool DCTStream::readProgressiveSOF() {
   height = read16();
   width = read16();
   numComps = str->getChar();
+
+  if (numComps <= 0 || numComps > 4) {
+    error(errSyntaxError, getPos(), "Bad number of components in DCT stream");
+    numComps = 0;
+    return gFalse;
+  }
   if (prec != 8) {
     error(errSyntaxError, getPos(), "Bad DCT precision {0:d}", prec);
     return gFalse;
commit d9c88e1c8892c79b8865a0dabdcc0d3ffd55c195
Author: Albert Astals Cid <aacid at kde.org>
Date:   Wed Jun 21 00:56:38 2017 +0200

    Fix crash in malformed documents

diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index e6cd329b..f61f8124 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -4034,18 +4034,18 @@ GfxUnivariateShading::~GfxUnivariateShading() {
 
 void GfxUnivariateShading::getColor(double t, GfxColor *color) {
   double out[gfxColorMaxComps];
-  int i, nComps;
+  int i;
+
+  // NB: there can be one function with n outputs or n functions with
+  // one output each (where n = number of color components)
+  const int nComps = nFuncs * funcs[0]->getOutputSize();
 
-  if (unlikely(nFuncs < 1)) {
+  if (unlikely(nFuncs < 1 || nComps > gfxColorMaxComps)) {
     for (int i = 0; i < gfxColorMaxComps; i++)
         color->c[i] = 0;
     return;
   }
 
-  // NB: there can be one function with n outputs or n functions with
-  // one output each (where n = number of color components)
-  nComps = nFuncs * funcs[0]->getOutputSize();
-
   if (cacheSize > 0) {
     double x, ix, *l, *u, *upper;
 
commit 55db66c69fd56826b8523710046deab1a8d14ba2
Author: Albert Astals Cid <aacid at kde.org>
Date:   Wed Jun 21 00:55:20 2017 +0200

    Fix crash in malformed documents

diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 48535883..d89108c8 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -896,7 +896,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y,
   oneByte = x0 == ((x1 - 1) & ~7);
 
   for (yy = y0; yy < y1; ++yy) {
-    if (unlikely(y + yy) >= h)
+    if (unlikely((y + yy >= h) || (y + yy < 0)))
       continue;
 
     // one byte per line -- need to mask both left and right side
commit 5266fa426d73c5dbdb3dd903d50885097833acc6
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Jun 20 23:58:26 2017 +0200

    Fix crash in malformed document
    
    Bug #101526

diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 4ac91078..d93c560e 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -468,7 +468,7 @@ ImageStream::ImageStream(Stream *strA, int widthA, int nCompsA, int nBitsA) {
 
   nVals = width * nComps;
   inputLineSize = (nVals * nBits + 7) >> 3;
-  if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || width > INT_MAX / nComps) {
+  if (nComps <= 0 || nBits <= 0 || nVals > INT_MAX / nBits - 7 || width > INT_MAX / nComps) {
     inputLineSize = -1;
   }
   inputLine = (Guchar *)gmallocn_checkoverflow(inputLineSize, sizeof(char));
commit 112b8ab16128c6e7f80fe7c1890f7b63abd85cce
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Jun 20 23:51:16 2017 +0200

    Fix crash in broken documents
    
    Fixes bug #101525

diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 067fb7f0..48535883 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -760,6 +760,10 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint x, Guint y, Guint wA, Guint hA) {
   JBIG2Bitmap *slice;
   Guint xx, yy;
 
+  if (!data) {
+      return nullptr;
+  }
+
   slice = new JBIG2Bitmap(0, wA, hA);
   if (slice->isOk()) {
     slice->clearToZero();
@@ -3827,6 +3831,10 @@ JBIG2Bitmap *JBIG2Stream::readGenericRefinementRegion(int w, int h,
   JBIG2BitmapPtr tpgrCXPtr2 = {0};
   int x, y, pix;
 
+  if (!refBitmap) {
+      return nullptr;
+  }
+
   bitmap = new JBIG2Bitmap(0, w, h);
   if (!bitmap->isOk())
   {
commit 4e68bf998f886cab8a45fa315164d8ba7aa0dee4
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Jun 20 23:43:23 2017 +0200

    Fix crash on broken documents
    
    Fixes bug #101524

diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index d26ba02b..067fb7f0 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -15,7 +15,7 @@
 //
 // Copyright (C) 2006 Raj Kumar <rkumar at archive.org>
 // Copyright (C) 2006 Paul Walmsley <paul at booyaka.com>
-// Copyright (C) 2006-2010, 2012, 2014-2016 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2006-2010, 2012, 2014-2017 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2009 David Benjamin <davidben at mit.edu>
 // Copyright (C) 2011 Edward Jiang <ejiang at google.com>
 // Copyright (C) 2012 William Bader <williambader at hotmail.com>
@@ -1304,7 +1304,7 @@ Goffset JBIG2Stream::getPos() {
 int JBIG2Stream::getChars(int nChars, Guchar *buffer) {
   int n, i;
 
-  if (nChars <= 0) {
+  if (nChars <= 0 || !dataPtr) {
     return 0;
   }
   if (dataEnd - dataPtr < nChars) {
commit 558cdb4a4efbb2227f4009f5d87cdd94bfb40107
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue Jun 20 23:37:26 2017 +0200

    Fix crash in malformed documents
    
    Fixes bug #101523

diff --git a/poppler/GfxFont.cc b/poppler/GfxFont.cc
index ea23e03a..b59ec06c 100644
--- a/poppler/GfxFont.cc
+++ b/poppler/GfxFont.cc
@@ -13,7 +13,7 @@
 // All changes made under the Poppler project to this file are licensed
 // under GPL version 2 or later
 //
-// Copyright (C) 2005, 2006, 2008-2010, 2012, 2014, 2015 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2005, 2006, 2008-2010, 2012, 2014, 2015, 2017 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2005, 2006 Kristian Høgsberg <krh at redhat.com>
 // Copyright (C) 2006 Takashi Iwai <tiwai at suse.de>
 // Copyright (C) 2007 Julien Rebetez <julienr at svn.gnome.org>
@@ -2371,7 +2371,7 @@ int *GfxCIDFont::getCodeToGIDMap(FoFiTrueType *ff, int *mapsizep) {
   Ref embID;
 
   *mapsizep = 0;
-  if (!ctu) return NULL;
+  if (!ctu || !getCollection()) return NULL;
   if (getCollection()->cmp("Adobe-Identity") == 0) return NULL;
   if (getEmbeddedFontID(&embID)) {
    /* if this font is embedded font, 
commit f7030a0176ed0ab484a401acc26072060e420679
Author: Albert Astals Cid <aacid at kde.org>
Date:   Mon Jun 19 23:45:24 2017 +0200

    Fix crash on broken documents
    
    Bug #101505

diff --git a/goo/GooHash.cc b/goo/GooHash.cc
index f4a92f17..49f58c5f 100644
--- a/goo/GooHash.cc
+++ b/goo/GooHash.cc
@@ -6,6 +6,20 @@
 //
 //========================================================================
 
+//========================================================================
+//
+// Modified under the Poppler project - http://poppler.freedesktop.org
+//
+// All changes made under the Poppler project to this file are licensed
+// under GPL version 2 or later
+//
+// Copyright (C) 2017 Albert Astals Cid <aacid at kde.org>
+//
+// To see a description of the changes please see the Changelog file that
+// came with your tarball or type make ChangeLog if you are building from git
+//
+//========================================================================
+
 #include <config.h>
 
 #ifdef USE_GCC_PRAGMAS
@@ -15,6 +29,7 @@
 #include "gmem.h"
 #include "GooString.h"
 #include "GooHash.h"
+#include "GooLikely.h"
 
 //------------------------------------------------------------------------
 
@@ -339,6 +354,9 @@ void GooHash::expand() {
 GooHashBucket *GooHash::find(GooString *key, int *h) {
   GooHashBucket *p;
 
+  if (unlikely(!key))
+    return nullptr;
+
   *h = hash(key);
   for (p = tab[*h]; p; p = p->next) {
     if (!p->key->cmp(key)) {
commit e465d36b8ecf46b80af4ac6b941ae56eb4883a89
Author: Albert Astals Cid <aacid at kde.org>
Date:   Mon Jun 19 23:35:29 2017 +0200

    Fix crash on malformed files
    
    Bug #101502

diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index b17925f4..e6cd329b 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -4036,6 +4036,12 @@ void GfxUnivariateShading::getColor(double t, GfxColor *color) {
   double out[gfxColorMaxComps];
   int i, nComps;
 
+  if (unlikely(nFuncs < 1)) {
+    for (int i = 0; i < gfxColorMaxComps; i++)
+        color->c[i] = 0;
+    return;
+  }
+
   // NB: there can be one function with n outputs or n functions with
   // one output each (where n = number of color components)
   nComps = nFuncs * funcs[0]->getOutputSize();
@@ -4089,6 +4095,9 @@ void GfxUnivariateShading::setupCache(const Matrix *ctm,
   cacheBounds = NULL;
   cacheSize = 0;
 
+  if (unlikely(nFuncs < 1))
+    return;
+
   // NB: there can be one function with n outputs or n functions with
   // one output each (where n = number of color components)
   nComps = nFuncs * funcs[0]->getOutputSize();
commit e2ab2fa9d8c41e0115b2c276a2594cd2f7c217e6
Author: Albert Astals Cid <aacid at kde.org>
Date:   Mon Jun 19 23:18:51 2017 +0200

    Fix crash on malformed files
    
    Bug #101500

diff --git a/poppler/Function.cc b/poppler/Function.cc
index 7f359b8e..785933df 100644
--- a/poppler/Function.cc
+++ b/poppler/Function.cc
@@ -13,7 +13,7 @@
 // All changes made under the Poppler project to this file are licensed
 // under GPL version 2 or later
 //
-// Copyright (C) 2006, 2008-2010, 2013-2015 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2006, 2008-2010, 2013-2015, 2017 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2006 Jeff Muizelaar <jeff at infidigm.net>
 // Copyright (C) 2010 Christian Feuersänger <cfeuersaenger at googlemail.com>
 // Copyright (C) 2011 Andrea Canciani <ranma42 at gmail.com>
@@ -1623,7 +1623,9 @@ void PostScriptFunction::exec(PSStack *stack, int codePtr) {
       case psOpIdiv:
 	i2 = stack->popInt();
 	i1 = stack->popInt();
-	stack->pushInt(i1 / i2);
+	if (likely(i2 != 0)) {
+	  stack->pushInt(i1 / i2);
+	}
 	break;
       case psOpIndex:
 	stack->index(stack->popInt());
@@ -1659,7 +1661,9 @@ void PostScriptFunction::exec(PSStack *stack, int codePtr) {
       case psOpMod:
 	i2 = stack->popInt();
 	i1 = stack->popInt();
-	stack->pushInt(i1 % i2);
+	if (likely(i2 != 0)) {
+	  stack->pushInt(i1 % i2);
+	}
 	break;
       case psOpMul:
 	if (stack->topTwoAreInts()) {
commit 17e4111da1ae5c9798ca0c040bf75c01bbb72a8a
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sat Jun 17 17:47:23 2017 +0200

    Break earlier on reaching recursion limit
    
    Bug #101379

diff --git a/poppler/Parser.cc b/poppler/Parser.cc
index 28a54607..8079ca1d 100644
--- a/poppler/Parser.cc
+++ b/poppler/Parser.cc
@@ -13,7 +13,7 @@
 // All changes made under the Poppler project to this file are licensed
 // under GPL version 2 or later
 //
-// Copyright (C) 2006, 2009, 201, 2010, 2013, 2014 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2006, 2009, 201, 2010, 2013, 2014, 2017 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2006 Krzysztof Kowalczyk <kkowalczyk at gmail.com>
 // Copyright (C) 2009 Ilya Gorenbein <igorenbein at finjan.com>
 // Copyright (C) 2012 Hib Eris <hib at hiberis.nl>
@@ -87,8 +87,14 @@ Object *Parser::getObj(Object *obj, GBool simpleOnly,
     inlineImg = 0;
   }
 
+  if (unlikely(recursion >= recursionLimit)) {
+    obj->free();
+    obj->initError();
+    return obj;
+  }
+
   // array
-  if (!simpleOnly && likely(recursion < recursionLimit) && buf1.isCmd("[")) {
+  if (!simpleOnly && buf1.isCmd("[")) {
     shift();
     obj->initArray(xref);
     while (!buf1.isCmd("]") && !buf1.isEOF())
@@ -101,7 +107,7 @@ Object *Parser::getObj(Object *obj, GBool simpleOnly,
     shift();
 
   // dictionary or stream
-  } else if (!simpleOnly && likely(recursion < recursionLimit) && buf1.isCmd("<<")) {
+  } else if (!simpleOnly && buf1.isCmd("<<")) {
     shift(objNum);
     obj->initDict(xref);
     while (!buf1.isCmd(">>") && !buf1.isEOF()) {
@@ -119,6 +125,9 @@ Object *Parser::getObj(Object *obj, GBool simpleOnly,
 	  break;
 	}
 	obj->dictAdd(key, getObj(&obj2, gFalse, fileKey, encAlgorithm, keyLength, objNum, objGen, recursion + 1));
+	if (unlikely(obj2.isError() && recursion + 1 >= recursionLimit)) {
+	  break;
+	}
       }
     }
     if (buf1.isEOF()) {
commit 8e1a2474c5513f7b2f4718258ca90e2d6e03f127
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sat Jun 17 12:35:41 2017 +0200

    pdftohmtl: Initialize rotSkewMat
    
    Fixes uninitialized memory read at bug #100314

diff --git a/utils/HtmlFonts.cc b/utils/HtmlFonts.cc
index a12992ec..49376d65 100644
--- a/utils/HtmlFonts.cc
+++ b/utils/HtmlFonts.cc
@@ -156,6 +156,7 @@ HtmlFont::HtmlFont(GfxFont *font, int _size, GfxRGB rgb){
     pos = font_num; 
   if (!DefaultFont) DefaultFont=new GooString(fonts[font_num].name);
 
+  rotSkewMat[0] = rotSkewMat[1] = rotSkewMat[2] = rotSkewMat[3] = 0;
 }
  
 HtmlFont::HtmlFont(const HtmlFont& x){
commit dd7b0eec87ffc389ee3ba7319442e681e19b15ba
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sat Jun 17 12:33:35 2017 +0200

    Remove unused constructor

diff --git a/utils/HtmlFonts.h b/utils/HtmlFonts.h
index 7993c78e..252d5f90 100644
--- a/utils/HtmlFonts.h
+++ b/utils/HtmlFonts.h
@@ -18,7 +18,7 @@
 // under GPL version 2 or later
 //
 // Copyright (C) 2010 OSSD CDAC Mumbai by Leena Chourey (leenac at cdacmumbai.in) and Onkar Potdar (onkar at cdacmumbai.in)
-// Copyright (C) 2010, 2012 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2010, 2012, 2017 Albert Astals Cid <aacid at kde.org>
 // Copyright (C) 2011 Steven Murdoch <Steven.Murdoch at cl.cam.ac.uk>
 // Copyright (C) 2011 Joshua Richardson <jric at chegg.com>
 // Copyright (C) 2012 Igor Slepchin <igor.slepchin at gmail.com>
@@ -72,7 +72,6 @@ class HtmlFont{
    double rotSkewMat[4]; // only four values needed for rotation and skew
 public:  
 
-   HtmlFont(){FontName=NULL; rotOrSkewed = gFalse;}
    HtmlFont(GfxFont *font,int _size, GfxRGB rgb);
    HtmlFont(const HtmlFont& x);
    HtmlFont& operator=(const HtmlFont& x);
commit 5b05222ccd18a121ea2ae1d67b8b5d4947cdfce0
Author: Albert Astals Cid <aacid at kde.org>
Date:   Sat Jun 17 12:33:06 2017 +0200

    Fix crash in malformed file
    
    Bug #101429

diff --git a/poppler/Annot.cc b/poppler/Annot.cc
index 279f650d..974b098b 100644
--- a/poppler/Annot.cc
+++ b/poppler/Annot.cc
@@ -5401,7 +5401,7 @@ void AnnotScreen::initialize(PDFDoc *docA, Dict* dict) {
   action = NULL;
   if (dict->lookup("A", &obj1)->isDict()) {
     action = LinkAction::parseAction(&obj1, doc->getCatalog()->getBaseURI());
-    if (action->getKind() == actionRendition && page == 0) {
+    if (action && action->getKind() == actionRendition && page == 0) {
       error (errSyntaxError, -1, "Invalid Rendition action: associated screen annotation without P");
       delete action;
       action = NULL;
commit e1b5053e54b0ef7d6b09f3b9c97883db533d509a
Author: Even Rouault <even.rouault at spatialys.com>
Date:   Fri Jun 16 00:21:53 2017 +0200

    Fix crash on broken file
    
    Fixes bug #101366

diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc
index b9fa6cbd..5502be64 100644
--- a/poppler/SplashOutputDev.cc
+++ b/poppler/SplashOutputDev.cc
@@ -37,6 +37,7 @@
 // Copyright (C) 2015 Tamas Szekeres <szekerest at gmail.com>
 // Copyright (C) 2015 Kenji Uno <ku at digitaldolphins.jp>
 // Copyright (C) 2016 Takahiro Hashimoto <kenya888.en at gmail.com>
+// Copyright (C) 2017 Even Rouault <even.rouault at spatialys.com>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -2725,7 +2726,7 @@ void SplashOutputDev::type3D1(GfxState *state, double wx, double wy,
   int i, j;
 
   // ignore multiple d0/d1 operators
-  if (t3GlyphStack->haveDx) {
+  if (!t3GlyphStack || t3GlyphStack->haveDx) {
     return;
   }
   t3GlyphStack->haveDx = gTrue;
commit 9e05af3da0ce14c48f0652e01718960c6bc7b4b0
Author: Hans-Ulrich Jüttner <huj at froreich-bioscientia.de>
Date:   Wed Jun 14 23:19:48 2017 +0200

    FormFieldButton::setState() shouldn't check the field is readOnly
    
    Bug #101419

diff --git a/poppler/Form.cc b/poppler/Form.cc
index ced3140c..4627a432 100644
--- a/poppler/Form.cc
+++ b/poppler/Form.cc
@@ -17,6 +17,7 @@
 // Copyright 2012 Fabio D'Urso <fabiodurso at hotmail.it>
 // Copyright 2015 André Guerreiro <aguerreiro1985 at gmail.com>
 // Copyright 2015 André Esser <bepandre at hotmail.com>
+// Copyright 2017 Hans-Ulrich Jüttner <huj at froreich-bioscientia.de>
 //
 //========================================================================
 
@@ -903,11 +904,6 @@ void FormFieldButton::fillChildrenSiblingsID()
 
 GBool FormFieldButton::setState(char *state)
 {
-  if (readOnly) {
-    error(errInternal, -1, "FormFieldButton::setState called on a readOnly field\n");
-    return gFalse;
-  }
-
   // A check button could behave as a radio button
   // when it's in a set of more than 1 buttons
   if (btype != formButtonRadio && btype != formButtonCheck)


More information about the poppler mailing list