<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style> </head> <body dir="ltr"> <div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> Are sequences like 'surface_width = (int) ceil (fabs(kx));' safe? Can it wrap negative if the real number is too large for an int? Are all of the places using this idiom guaranteed never to overflow?</div> <div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> In this particular patch would it be safer to use 'if (unlikely(surface_width <= 0 || surface_height <= 0)) {' ?</div> <div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> Regards, William</div> <div> <div id="appendonsend"></div> <div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)"> <br> </div> <hr tabindex="-1" style="display:inline-block; width:98%"> <div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> poppler <poppler-bounces@lists.freedesktop.org> on behalf of GitLab Mirror <gitlab-mirror@kemper.freedesktop.org><br> <b>Sent:</b> Monday, July 15, 2019 6:06 PM<br> <b>To:</b> poppler@lists.freedesktop.org<br> <b>Subject:</b> [poppler] 2 commits - poppler/JPEG2000Stream.cc poppler/SplashOutputDev.cc</font> <div> </div> </div> <div class="BodyFragment"><font size="2"><span style="font-size:11pt"> <div class="PlainText">poppler/JPEG2000Stream.cc | 2 +-<br> poppler/SplashOutputDev.cc | 4 ++++<br> 2 files changed, 5 insertions(+), 1 deletion(-)<br> <br> New commits:<br> commit 68ef84e5968a4249c2162b839ca6d7975048a557<br> Author: Albert Astals Cid <aacid@kde.org><br> Date: Mon Jul 15 23:24:22 2019 +0200<br> <br> JPXStream::init: ignore dict Length if clearly broken<br> <br> Fixes issue #805<br> <br> diff --git a/poppler/JPEG2000Stream.cc b/poppler/JPEG2000Stream.cc<br> index 0eea3a2d..8e6902f4 100644<br> --- a/poppler/JPEG2000Stream.cc<br> +++ b/poppler/JPEG2000Stream.cc<br> @@ -219,7 +219,7 @@ void JPXStream::init()<br> }<br> <br> int bufSize = BUFFER_INITIAL_SIZE;<br> - if (oLen.isInt()) bufSize = oLen.getInt();<br> + if (oLen.isInt() && oLen.getInt() > 0) bufSize = oLen.getInt();<br> <br> bool indexed = false;<br> if (cspace.isArray() && cspace.arrayGetLength() > 0) {<br> commit b224e2f5739fe61de9fa69955d016725b2a4b78d<br> Author: Albert Astals Cid <aacid@kde.org><br> Date: Mon Jul 15 22:11:09 2019 +0200<br> <br> SplashOutputDev::tilingPatternFill: Fix crash on broken file<br> <br> Issue #802<br> <br> diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc<br> index 544f132d..3d2befc2 100644<br> --- a/poppler/SplashOutputDev.cc<br> +++ b/poppler/SplashOutputDev.cc<br> @@ -4581,6 +4581,10 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog *cat<br> surface_width = (int) ceil (fabs(kx));<br> surface_height = (int) ceil (fabs(ky));<br> // adjust repeat values to completely fill region<br> + if (unlikely(surface_width == 0 || surface_height == 0)) {<br> + state->setCTM(savedCTM[0], savedCTM[1], savedCTM[2], savedCTM[3], savedCTM[4], savedCTM[5]);<br> + return false;<br> + }<br> repeatX = result_width / surface_width;<br> repeatY = result_height / surface_height;<br> if (surface_width * repeatX < result_width)<br> _______________________________________________<br> poppler mailing list<br> poppler@lists.freedesktop.org<br> <a href="https://lists.freedesktop.org/mailman/listinfo/poppler">https://lists.freedesktop.org/mailman/listinfo/poppler</a></div> </span></font></div> </div> </body> </html>