[poppler] 2 commits - poppler/JPEG2000Stream.cc poppler/SplashOutputDev.cc
William Bader
williambader at hotmail.com
Mon Jul 15 23:47:28 UTC 2019
Are sequences like 'surface_width = (int) ceil (fabs(kx));' safe? Can it wrap negative if the real number is too large for an int? Are all of the places using this idiom guaranteed never to overflow?
In this particular patch would it be safer to use 'if (unlikely(surface_width <= 0 || surface_height <= 0)) {' ?
Regards, William
________________________________
From: poppler <poppler-bounces at lists.freedesktop.org> on behalf of GitLab Mirror <gitlab-mirror at kemper.freedesktop.org>
Sent: Monday, July 15, 2019 6:06 PM
To: poppler at lists.freedesktop.org
Subject: [poppler] 2 commits - poppler/JPEG2000Stream.cc poppler/SplashOutputDev.cc
poppler/JPEG2000Stream.cc | 2 +-
poppler/SplashOutputDev.cc | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
New commits:
commit 68ef84e5968a4249c2162b839ca6d7975048a557
Author: Albert Astals Cid <aacid at kde.org>
Date: Mon Jul 15 23:24:22 2019 +0200
JPXStream::init: ignore dict Length if clearly broken
Fixes issue #805
diff --git a/poppler/JPEG2000Stream.cc b/poppler/JPEG2000Stream.cc
index 0eea3a2d..8e6902f4 100644
--- a/poppler/JPEG2000Stream.cc
+++ b/poppler/JPEG2000Stream.cc
@@ -219,7 +219,7 @@ void JPXStream::init()
}
int bufSize = BUFFER_INITIAL_SIZE;
- if (oLen.isInt()) bufSize = oLen.getInt();
+ if (oLen.isInt() && oLen.getInt() > 0) bufSize = oLen.getInt();
bool indexed = false;
if (cspace.isArray() && cspace.arrayGetLength() > 0) {
commit b224e2f5739fe61de9fa69955d016725b2a4b78d
Author: Albert Astals Cid <aacid at kde.org>
Date: Mon Jul 15 22:11:09 2019 +0200
SplashOutputDev::tilingPatternFill: Fix crash on broken file
Issue #802
diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc
index 544f132d..3d2befc2 100644
--- a/poppler/SplashOutputDev.cc
+++ b/poppler/SplashOutputDev.cc
@@ -4581,6 +4581,10 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog *cat
surface_width = (int) ceil (fabs(kx));
surface_height = (int) ceil (fabs(ky));
// adjust repeat values to completely fill region
+ if (unlikely(surface_width == 0 || surface_height == 0)) {
+ state->setCTM(savedCTM[0], savedCTM[1], savedCTM[2], savedCTM[3], savedCTM[4], savedCTM[5]);
+ return false;
+ }
repeatX = result_width / surface_width;
repeatY = result_height / surface_height;
if (surface_width * repeatX < result_width)
_______________________________________________
poppler mailing list
poppler at lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/poppler/attachments/20190715/cf5db98f/attachment.html>
More information about the poppler
mailing list