[poppler] 2 commits - poppler/JPEG2000Stream.cc poppler/SplashOutputDev.cc
Albert Astals Cid
aacid at kde.org
Tue Jul 16 21:24:53 UTC 2019
El dimarts, 16 de juliol de 2019, a les 1:47:28 CEST, William Bader va escriure:
> Are sequences like 'surface_width = (int) ceil (fabs(kx));' safe? Can it wrap negative if the real number is too large for an int? Are all of the places using this idiom guaranteed never to overflow?
Probably not, but they don't cause a crash like dividing an integer by 0 does.
> In this particular patch would it be safer to use 'if (unlikely(surface_width <= 0 || surface_height <= 0)) {' ?
I haven't studied the code for more than 3 seconds but it doesn't seem like those values being negative would be a huge problem.
Cheers,
Albert
> Regards, William
>
> ________________________________
> From: poppler <poppler-bounces at lists.freedesktop.org> on behalf of GitLab Mirror <gitlab-mirror at kemper.freedesktop.org>
> Sent: Monday, July 15, 2019 6:06 PM
> To: poppler at lists.freedesktop.org
> Subject: [poppler] 2 commits - poppler/JPEG2000Stream.cc poppler/SplashOutputDev.cc
>
> poppler/JPEG2000Stream.cc | 2 +-
> poppler/SplashOutputDev.cc | 4 ++++
> 2 files changed, 5 insertions(+), 1 deletion(-)
>
> New commits:
> commit 68ef84e5968a4249c2162b839ca6d7975048a557
> Author: Albert Astals Cid <aacid at kde.org>
> Date: Mon Jul 15 23:24:22 2019 +0200
>
> JPXStream::init: ignore dict Length if clearly broken
>
> Fixes issue #805
>
> diff --git a/poppler/JPEG2000Stream.cc b/poppler/JPEG2000Stream.cc
> index 0eea3a2d..8e6902f4 100644
> --- a/poppler/JPEG2000Stream.cc
> +++ b/poppler/JPEG2000Stream.cc
> @@ -219,7 +219,7 @@ void JPXStream::init()
> }
>
> int bufSize = BUFFER_INITIAL_SIZE;
> - if (oLen.isInt()) bufSize = oLen.getInt();
> + if (oLen.isInt() && oLen.getInt() > 0) bufSize = oLen.getInt();
>
> bool indexed = false;
> if (cspace.isArray() && cspace.arrayGetLength() > 0) {
> commit b224e2f5739fe61de9fa69955d016725b2a4b78d
> Author: Albert Astals Cid <aacid at kde.org>
> Date: Mon Jul 15 22:11:09 2019 +0200
>
> SplashOutputDev::tilingPatternFill: Fix crash on broken file
>
> Issue #802
>
> diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc
> index 544f132d..3d2befc2 100644
> --- a/poppler/SplashOutputDev.cc
> +++ b/poppler/SplashOutputDev.cc
> @@ -4581,6 +4581,10 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog *cat
> surface_width = (int) ceil (fabs(kx));
> surface_height = (int) ceil (fabs(ky));
> // adjust repeat values to completely fill region
> + if (unlikely(surface_width == 0 || surface_height == 0)) {
> + state->setCTM(savedCTM[0], savedCTM[1], savedCTM[2], savedCTM[3], savedCTM[4], savedCTM[5]);
> + return false;
> + }
> repeatX = result_width / surface_width;
> repeatY = result_height / surface_height;
> if (surface_width * repeatX < result_width)
> _______________________________________________
> poppler mailing list
> poppler at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/poppler
>
More information about the poppler
mailing list