[poppler] 16 commits - goo/GooHash.cc poppler/Annot.cc poppler/Form.cc poppler/Function.cc poppler/GfxFont.cc poppler/GfxState.cc poppler/JBIG2Stream.cc poppler/Parser.cc poppler/SplashOutputDev.cc poppler/Stream.cc utils/HtmlFonts.cc utils/HtmlFonts.h
Albert Astals Cid
aacid at kemper.freedesktop.org
Wed Jun 21 20:31:29 UTC 2017
Rebased ref, commits from common ancestor:
commit 3a2759aa2a98c2157cb35731b95e393b8882f8d3
Author: Jose Aliste <jaliste at src.gnome.org>
Date: Tue May 16 18:44:49 2017 -0400
Check numComps is between reasonable bounds
Before this patch, some PDF might crash because of an overflow
if numComps does not lie between 0 and 4.
This is a security fix for CVE-2017-0319.
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index d93c560e..e3d5cf6a 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -32,6 +32,7 @@
// Copyright (C) 2013 Pino Toscano <pino at kde.org>
// Copyright (C) 2015 Suzuki Toshiya <mpsuzuki at hiroshima-u.ac.jp>
// Copyright (C) 2015 Jason Crain <jason at aquaticape.us>
+// Copyright (C) 2017 Jose Aliste <jaliste at src.gnome.org>
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -3585,6 +3586,12 @@ GBool DCTStream::readProgressiveSOF() {
height = read16();
width = read16();
numComps = str->getChar();
+
+ if (numComps <= 0 || numComps > 4) {
+ error(errSyntaxError, getPos(), "Bad number of components in DCT stream");
+ numComps = 0;
+ return gFalse;
+ }
if (prec != 8) {
error(errSyntaxError, getPos(), "Bad DCT precision {0:d}", prec);
return gFalse;
commit d9c88e1c8892c79b8865a0dabdcc0d3ffd55c195
Author: Albert Astals Cid <aacid at kde.org>
Date: Wed Jun 21 00:56:38 2017 +0200
Fix crash in malformed documents
diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index e6cd329b..f61f8124 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -4034,18 +4034,18 @@ GfxUnivariateShading::~GfxUnivariateShading() {
void GfxUnivariateShading::getColor(double t, GfxColor *color) {
double out[gfxColorMaxComps];
- int i, nComps;
+ int i;
+
+ // NB: there can be one function with n outputs or n functions with
+ // one output each (where n = number of color components)
+ const int nComps = nFuncs * funcs[0]->getOutputSize();
- if (unlikely(nFuncs < 1)) {
+ if (unlikely(nFuncs < 1 || nComps > gfxColorMaxComps)) {
for (int i = 0; i < gfxColorMaxComps; i++)
color->c[i] = 0;
return;
}
- // NB: there can be one function with n outputs or n functions with
- // one output each (where n = number of color components)
- nComps = nFuncs * funcs[0]->getOutputSize();
-
if (cacheSize > 0) {
double x, ix, *l, *u, *upper;
commit 55db66c69fd56826b8523710046deab1a8d14ba2
Author: Albert Astals Cid <aacid at kde.org>
Date: Wed Jun 21 00:55:20 2017 +0200
Fix crash in malformed documents
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 48535883..d89108c8 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -896,7 +896,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y,
oneByte = x0 == ((x1 - 1) & ~7);
for (yy = y0; yy < y1; ++yy) {
- if (unlikely(y + yy) >= h)
+ if (unlikely((y + yy >= h) || (y + yy < 0)))
continue;
// one byte per line -- need to mask both left and right side
commit 5266fa426d73c5dbdb3dd903d50885097833acc6
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Jun 20 23:58:26 2017 +0200
Fix crash in malformed document
Bug #101526
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 4ac91078..d93c560e 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -468,7 +468,7 @@ ImageStream::ImageStream(Stream *strA, int widthA, int nCompsA, int nBitsA) {
nVals = width * nComps;
inputLineSize = (nVals * nBits + 7) >> 3;
- if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || width > INT_MAX / nComps) {
+ if (nComps <= 0 || nBits <= 0 || nVals > INT_MAX / nBits - 7 || width > INT_MAX / nComps) {
inputLineSize = -1;
}
inputLine = (Guchar *)gmallocn_checkoverflow(inputLineSize, sizeof(char));
commit 112b8ab16128c6e7f80fe7c1890f7b63abd85cce
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Jun 20 23:51:16 2017 +0200
Fix crash in broken documents
Fixes bug #101525
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 067fb7f0..48535883 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -760,6 +760,10 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint x, Guint y, Guint wA, Guint hA) {
JBIG2Bitmap *slice;
Guint xx, yy;
+ if (!data) {
+ return nullptr;
+ }
+
slice = new JBIG2Bitmap(0, wA, hA);
if (slice->isOk()) {
slice->clearToZero();
@@ -3827,6 +3831,10 @@ JBIG2Bitmap *JBIG2Stream::readGenericRefinementRegion(int w, int h,
JBIG2BitmapPtr tpgrCXPtr2 = {0};
int x, y, pix;
+ if (!refBitmap) {
+ return nullptr;
+ }
+
bitmap = new JBIG2Bitmap(0, w, h);
if (!bitmap->isOk())
{
commit 4e68bf998f886cab8a45fa315164d8ba7aa0dee4
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Jun 20 23:43:23 2017 +0200
Fix crash on broken documents
Fixes bug #101524
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index d26ba02b..067fb7f0 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -15,7 +15,7 @@
//
// Copyright (C) 2006 Raj Kumar <rkumar at archive.org>
// Copyright (C) 2006 Paul Walmsley <paul at booyaka.com>
-// Copyright (C) 2006-2010, 2012, 2014-2016 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2006-2010, 2012, 2014-2017 Albert Astals Cid <aacid at kde.org>
// Copyright (C) 2009 David Benjamin <davidben at mit.edu>
// Copyright (C) 2011 Edward Jiang <ejiang at google.com>
// Copyright (C) 2012 William Bader <williambader at hotmail.com>
@@ -1304,7 +1304,7 @@ Goffset JBIG2Stream::getPos() {
int JBIG2Stream::getChars(int nChars, Guchar *buffer) {
int n, i;
- if (nChars <= 0) {
+ if (nChars <= 0 || !dataPtr) {
return 0;
}
if (dataEnd - dataPtr < nChars) {
commit 558cdb4a4efbb2227f4009f5d87cdd94bfb40107
Author: Albert Astals Cid <aacid at kde.org>
Date: Tue Jun 20 23:37:26 2017 +0200
Fix crash in malformed documents
Fixes bug #101523
diff --git a/poppler/GfxFont.cc b/poppler/GfxFont.cc
index ea23e03a..b59ec06c 100644
--- a/poppler/GfxFont.cc
+++ b/poppler/GfxFont.cc
@@ -13,7 +13,7 @@
// All changes made under the Poppler project to this file are licensed
// under GPL version 2 or later
//
-// Copyright (C) 2005, 2006, 2008-2010, 2012, 2014, 2015 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2005, 2006, 2008-2010, 2012, 2014, 2015, 2017 Albert Astals Cid <aacid at kde.org>
// Copyright (C) 2005, 2006 Kristian Høgsberg <krh at redhat.com>
// Copyright (C) 2006 Takashi Iwai <tiwai at suse.de>
// Copyright (C) 2007 Julien Rebetez <julienr at svn.gnome.org>
@@ -2371,7 +2371,7 @@ int *GfxCIDFont::getCodeToGIDMap(FoFiTrueType *ff, int *mapsizep) {
Ref embID;
*mapsizep = 0;
- if (!ctu) return NULL;
+ if (!ctu || !getCollection()) return NULL;
if (getCollection()->cmp("Adobe-Identity") == 0) return NULL;
if (getEmbeddedFontID(&embID)) {
/* if this font is embedded font,
commit f7030a0176ed0ab484a401acc26072060e420679
Author: Albert Astals Cid <aacid at kde.org>
Date: Mon Jun 19 23:45:24 2017 +0200
Fix crash on broken documents
Bug #101505
diff --git a/goo/GooHash.cc b/goo/GooHash.cc
index f4a92f17..49f58c5f 100644
--- a/goo/GooHash.cc
+++ b/goo/GooHash.cc
@@ -6,6 +6,20 @@
//
//========================================================================
+//========================================================================
+//
+// Modified under the Poppler project - http://poppler.freedesktop.org
+//
+// All changes made under the Poppler project to this file are licensed
+// under GPL version 2 or later
+//
+// Copyright (C) 2017 Albert Astals Cid <aacid at kde.org>
+//
+// To see a description of the changes please see the Changelog file that
+// came with your tarball or type make ChangeLog if you are building from git
+//
+//========================================================================
+
#include <config.h>
#ifdef USE_GCC_PRAGMAS
@@ -15,6 +29,7 @@
#include "gmem.h"
#include "GooString.h"
#include "GooHash.h"
+#include "GooLikely.h"
//------------------------------------------------------------------------
@@ -339,6 +354,9 @@ void GooHash::expand() {
GooHashBucket *GooHash::find(GooString *key, int *h) {
GooHashBucket *p;
+ if (unlikely(!key))
+ return nullptr;
+
*h = hash(key);
for (p = tab[*h]; p; p = p->next) {
if (!p->key->cmp(key)) {
commit e465d36b8ecf46b80af4ac6b941ae56eb4883a89
Author: Albert Astals Cid <aacid at kde.org>
Date: Mon Jun 19 23:35:29 2017 +0200
Fix crash on malformed files
Bug #101502
diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index b17925f4..e6cd329b 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -4036,6 +4036,12 @@ void GfxUnivariateShading::getColor(double t, GfxColor *color) {
double out[gfxColorMaxComps];
int i, nComps;
+ if (unlikely(nFuncs < 1)) {
+ for (int i = 0; i < gfxColorMaxComps; i++)
+ color->c[i] = 0;
+ return;
+ }
+
// NB: there can be one function with n outputs or n functions with
// one output each (where n = number of color components)
nComps = nFuncs * funcs[0]->getOutputSize();
@@ -4089,6 +4095,9 @@ void GfxUnivariateShading::setupCache(const Matrix *ctm,
cacheBounds = NULL;
cacheSize = 0;
+ if (unlikely(nFuncs < 1))
+ return;
+
// NB: there can be one function with n outputs or n functions with
// one output each (where n = number of color components)
nComps = nFuncs * funcs[0]->getOutputSize();
commit e2ab2fa9d8c41e0115b2c276a2594cd2f7c217e6
Author: Albert Astals Cid <aacid at kde.org>
Date: Mon Jun 19 23:18:51 2017 +0200
Fix crash on malformed files
Bug #101500
diff --git a/poppler/Function.cc b/poppler/Function.cc
index 7f359b8e..785933df 100644
--- a/poppler/Function.cc
+++ b/poppler/Function.cc
@@ -13,7 +13,7 @@
// All changes made under the Poppler project to this file are licensed
// under GPL version 2 or later
//
-// Copyright (C) 2006, 2008-2010, 2013-2015 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2006, 2008-2010, 2013-2015, 2017 Albert Astals Cid <aacid at kde.org>
// Copyright (C) 2006 Jeff Muizelaar <jeff at infidigm.net>
// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger at googlemail.com>
// Copyright (C) 2011 Andrea Canciani <ranma42 at gmail.com>
@@ -1623,7 +1623,9 @@ void PostScriptFunction::exec(PSStack *stack, int codePtr) {
case psOpIdiv:
i2 = stack->popInt();
i1 = stack->popInt();
- stack->pushInt(i1 / i2);
+ if (likely(i2 != 0)) {
+ stack->pushInt(i1 / i2);
+ }
break;
case psOpIndex:
stack->index(stack->popInt());
@@ -1659,7 +1661,9 @@ void PostScriptFunction::exec(PSStack *stack, int codePtr) {
case psOpMod:
i2 = stack->popInt();
i1 = stack->popInt();
- stack->pushInt(i1 % i2);
+ if (likely(i2 != 0)) {
+ stack->pushInt(i1 % i2);
+ }
break;
case psOpMul:
if (stack->topTwoAreInts()) {
commit 17e4111da1ae5c9798ca0c040bf75c01bbb72a8a
Author: Albert Astals Cid <aacid at kde.org>
Date: Sat Jun 17 17:47:23 2017 +0200
Break earlier on reaching recursion limit
Bug #101379
diff --git a/poppler/Parser.cc b/poppler/Parser.cc
index 28a54607..8079ca1d 100644
--- a/poppler/Parser.cc
+++ b/poppler/Parser.cc
@@ -13,7 +13,7 @@
// All changes made under the Poppler project to this file are licensed
// under GPL version 2 or later
//
-// Copyright (C) 2006, 2009, 201, 2010, 2013, 2014 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2006, 2009, 201, 2010, 2013, 2014, 2017 Albert Astals Cid <aacid at kde.org>
// Copyright (C) 2006 Krzysztof Kowalczyk <kkowalczyk at gmail.com>
// Copyright (C) 2009 Ilya Gorenbein <igorenbein at finjan.com>
// Copyright (C) 2012 Hib Eris <hib at hiberis.nl>
@@ -87,8 +87,14 @@ Object *Parser::getObj(Object *obj, GBool simpleOnly,
inlineImg = 0;
}
+ if (unlikely(recursion >= recursionLimit)) {
+ obj->free();
+ obj->initError();
+ return obj;
+ }
+
// array
- if (!simpleOnly && likely(recursion < recursionLimit) && buf1.isCmd("[")) {
+ if (!simpleOnly && buf1.isCmd("[")) {
shift();
obj->initArray(xref);
while (!buf1.isCmd("]") && !buf1.isEOF())
@@ -101,7 +107,7 @@ Object *Parser::getObj(Object *obj, GBool simpleOnly,
shift();
// dictionary or stream
- } else if (!simpleOnly && likely(recursion < recursionLimit) && buf1.isCmd("<<")) {
+ } else if (!simpleOnly && buf1.isCmd("<<")) {
shift(objNum);
obj->initDict(xref);
while (!buf1.isCmd(">>") && !buf1.isEOF()) {
@@ -119,6 +125,9 @@ Object *Parser::getObj(Object *obj, GBool simpleOnly,
break;
}
obj->dictAdd(key, getObj(&obj2, gFalse, fileKey, encAlgorithm, keyLength, objNum, objGen, recursion + 1));
+ if (unlikely(obj2.isError() && recursion + 1 >= recursionLimit)) {
+ break;
+ }
}
}
if (buf1.isEOF()) {
commit 8e1a2474c5513f7b2f4718258ca90e2d6e03f127
Author: Albert Astals Cid <aacid at kde.org>
Date: Sat Jun 17 12:35:41 2017 +0200
pdftohmtl: Initialize rotSkewMat
Fixes uninitialized memory read at bug #100314
diff --git a/utils/HtmlFonts.cc b/utils/HtmlFonts.cc
index a12992ec..49376d65 100644
--- a/utils/HtmlFonts.cc
+++ b/utils/HtmlFonts.cc
@@ -156,6 +156,7 @@ HtmlFont::HtmlFont(GfxFont *font, int _size, GfxRGB rgb){
pos = font_num;
if (!DefaultFont) DefaultFont=new GooString(fonts[font_num].name);
+ rotSkewMat[0] = rotSkewMat[1] = rotSkewMat[2] = rotSkewMat[3] = 0;
}
HtmlFont::HtmlFont(const HtmlFont& x){
commit dd7b0eec87ffc389ee3ba7319442e681e19b15ba
Author: Albert Astals Cid <aacid at kde.org>
Date: Sat Jun 17 12:33:35 2017 +0200
Remove unused constructor
diff --git a/utils/HtmlFonts.h b/utils/HtmlFonts.h
index 7993c78e..252d5f90 100644
--- a/utils/HtmlFonts.h
+++ b/utils/HtmlFonts.h
@@ -18,7 +18,7 @@
// under GPL version 2 or later
//
// Copyright (C) 2010 OSSD CDAC Mumbai by Leena Chourey (leenac at cdacmumbai.in) and Onkar Potdar (onkar at cdacmumbai.in)
-// Copyright (C) 2010, 2012 Albert Astals Cid <aacid at kde.org>
+// Copyright (C) 2010, 2012, 2017 Albert Astals Cid <aacid at kde.org>
// Copyright (C) 2011 Steven Murdoch <Steven.Murdoch at cl.cam.ac.uk>
// Copyright (C) 2011 Joshua Richardson <jric at chegg.com>
// Copyright (C) 2012 Igor Slepchin <igor.slepchin at gmail.com>
@@ -72,7 +72,6 @@ class HtmlFont{
double rotSkewMat[4]; // only four values needed for rotation and skew
public:
- HtmlFont(){FontName=NULL; rotOrSkewed = gFalse;}
HtmlFont(GfxFont *font,int _size, GfxRGB rgb);
HtmlFont(const HtmlFont& x);
HtmlFont& operator=(const HtmlFont& x);
commit 5b05222ccd18a121ea2ae1d67b8b5d4947cdfce0
Author: Albert Astals Cid <aacid at kde.org>
Date: Sat Jun 17 12:33:06 2017 +0200
Fix crash in malformed file
Bug #101429
diff --git a/poppler/Annot.cc b/poppler/Annot.cc
index 279f650d..974b098b 100644
--- a/poppler/Annot.cc
+++ b/poppler/Annot.cc
@@ -5401,7 +5401,7 @@ void AnnotScreen::initialize(PDFDoc *docA, Dict* dict) {
action = NULL;
if (dict->lookup("A", &obj1)->isDict()) {
action = LinkAction::parseAction(&obj1, doc->getCatalog()->getBaseURI());
- if (action->getKind() == actionRendition && page == 0) {
+ if (action && action->getKind() == actionRendition && page == 0) {
error (errSyntaxError, -1, "Invalid Rendition action: associated screen annotation without P");
delete action;
action = NULL;
commit e1b5053e54b0ef7d6b09f3b9c97883db533d509a
Author: Even Rouault <even.rouault at spatialys.com>
Date: Fri Jun 16 00:21:53 2017 +0200
Fix crash on broken file
Fixes bug #101366
diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc
index b9fa6cbd..5502be64 100644
--- a/poppler/SplashOutputDev.cc
+++ b/poppler/SplashOutputDev.cc
@@ -37,6 +37,7 @@
// Copyright (C) 2015 Tamas Szekeres <szekerest at gmail.com>
// Copyright (C) 2015 Kenji Uno <ku at digitaldolphins.jp>
// Copyright (C) 2016 Takahiro Hashimoto <kenya888.en at gmail.com>
+// Copyright (C) 2017 Even Rouault <even.rouault at spatialys.com>
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -2725,7 +2726,7 @@ void SplashOutputDev::type3D1(GfxState *state, double wx, double wy,
int i, j;
// ignore multiple d0/d1 operators
- if (t3GlyphStack->haveDx) {
+ if (!t3GlyphStack || t3GlyphStack->haveDx) {
return;
}
t3GlyphStack->haveDx = gTrue;
commit 9e05af3da0ce14c48f0652e01718960c6bc7b4b0
Author: Hans-Ulrich Jüttner <huj at froreich-bioscientia.de>
Date: Wed Jun 14 23:19:48 2017 +0200
FormFieldButton::setState() shouldn't check the field is readOnly
Bug #101419
diff --git a/poppler/Form.cc b/poppler/Form.cc
index ced3140c..4627a432 100644
--- a/poppler/Form.cc
+++ b/poppler/Form.cc
@@ -17,6 +17,7 @@
// Copyright 2012 Fabio D'Urso <fabiodurso at hotmail.it>
// Copyright 2015 André Guerreiro <aguerreiro1985 at gmail.com>
// Copyright 2015 André Esser <bepandre at hotmail.com>
+// Copyright 2017 Hans-Ulrich Jüttner <huj at froreich-bioscientia.de>
//
//========================================================================
@@ -903,11 +904,6 @@ void FormFieldButton::fillChildrenSiblingsID()
GBool FormFieldButton::setState(char *state)
{
- if (readOnly) {
- error(errInternal, -1, "FormFieldButton::setState called on a readOnly field\n");
- return gFalse;
- }
-
// A check button could behave as a radio button
// when it's in a set of more than 1 buttons
if (btype != formButtonRadio && btype != formButtonCheck)
More information about the poppler
mailing list