[poppler] 3 commits - poppler/GfxState.cc splash/Splash.cc
Albert Astals Cid
aacid at kemper.freedesktop.org
Wed May 23 17:11:47 UTC 2018
poppler/GfxState.cc | 10 ++++++++++
splash/Splash.cc | 4 ++--
2 files changed, 12 insertions(+), 2 deletions(-)
New commits:
commit 8d715bfc7c3610b823721dc26368728795baa2fe
Author: Albert Astals Cid <aacid at kde.org>
Date: Wed May 23 15:44:05 2018 +0200
GfxPatchMeshShading::parse: Error out if BitsPerCoordinate <= 0
diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index 77adfd0e..b76c52d9 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -5129,6 +5129,10 @@ GfxPatchMeshShading *GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di
error(errSyntaxWarning, -1, "Missing or invalid BitsPerCoordinate in shading dictionary");
return nullptr;
}
+ if (unlikely(coordBits <= 0)) {
+ error(errSyntaxWarning, -1, "Invalid BitsPerCoordinate in shading dictionary");
+ return nullptr;
+ }
obj1 = dict->lookup("BitsPerComponent");
if (obj1.isInt()) {
compBits = obj1.getInt();
commit f5fb32bd4b64040dc0f9b9e1555dabce804ba566
Author: Albert Astals Cid <aacid at kde.org>
Date: Wed May 23 15:38:26 2018 +0200
Splash::scaleMaskYuXu: Also check for srcHeight <= 0
diff --git a/splash/Splash.cc b/splash/Splash.cc
index fc92bc18..0ee71077 100644
--- a/splash/Splash.cc
+++ b/splash/Splash.cc
@@ -3550,8 +3550,8 @@ void Splash::scaleMaskYuXu(SplashImageMaskSource src, void *srcData,
return;
}
- if (unlikely(srcWidth <= 0)) {
- error(errSyntaxError, -1, "srcWidth <= 0 in Splash::scaleMaskYuXu");
+ if (unlikely(srcWidth <= 0 || srcHeight <= 0)) {
+ error(errSyntaxError, -1, "srcWidth <= 0 || srcHeight <= 0 in Splash::scaleMaskYuXu");
return;
}
commit 0318e1667c7b137493f22be61b835eb914f68fa9
Author: Albert Astals Cid <aacid at kde.org>
Date: Wed May 23 15:34:32 2018 +0200
GfxPatchMeshShading::parse: Fix memory leak on malformed documents
fixes oss-fuzz/8487
diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index 21c09c8f..77adfd0e 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -5293,6 +5293,7 @@ GfxPatchMeshShading *GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di
case 1:
if (nPatchesA == 0) {
gfree(patchesA);
+ for (int k = 0; k < nFuncsA; ++k) delete funcsA[k];
return nullptr;
}
p->x[0][0] = patchesA[nPatchesA-1].x[0][3];
@@ -5329,6 +5330,7 @@ GfxPatchMeshShading *GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di
case 2:
if (nPatchesA == 0) {
gfree(patchesA);
+ for (int k = 0; k < nFuncsA; ++k) delete funcsA[k];
return nullptr;
}
p->x[0][0] = patchesA[nPatchesA-1].x[3][3];
@@ -5365,6 +5367,7 @@ GfxPatchMeshShading *GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di
case 3:
if (nPatchesA == 0) {
gfree(patchesA);
+ for (int k = 0; k < nFuncsA; ++k) delete funcsA[k];
return nullptr;
}
p->x[0][0] = patchesA[nPatchesA-1].x[3][0];
@@ -5444,6 +5447,7 @@ GfxPatchMeshShading *GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di
case 1:
if (nPatchesA == 0) {
gfree(patchesA);
+ for (int k = 0; k < nFuncsA; ++k) delete funcsA[k];
return nullptr;
}
p->x[0][0] = patchesA[nPatchesA-1].x[0][3];
@@ -5488,6 +5492,7 @@ GfxPatchMeshShading *GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di
case 2:
if (nPatchesA == 0) {
gfree(patchesA);
+ for (int k = 0; k < nFuncsA; ++k) delete funcsA[k];
return nullptr;
}
p->x[0][0] = patchesA[nPatchesA-1].x[3][3];
@@ -5532,6 +5537,7 @@ GfxPatchMeshShading *GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di
case 3:
if (nPatchesA == 0) {
gfree(patchesA);
+ for (int k = 0; k < nFuncsA; ++k) delete funcsA[k];
return nullptr;
}
p->x[0][0] = patchesA[nPatchesA-1].x[3][0];
More information about the poppler
mailing list