Author: randy
Date: 2010-11-26 10:39:17 -0700 (Fri, 26 Nov 2010)
New Revision: 2253
Added:
trunk/xpdf/xpdf-3.02-consolidated_pl5-1.patch
Log:
Created a patch from upstream XPDF consolidating the pl1 though pl5 patches
Added: trunk/xpdf/xpdf-3.02-consolidated_pl5-1.patch
===================================================================
--- trunk/xpdf/xpdf-3.02-consolidated_pl5-1.patch
(rev 0)
+++ trunk/xpdf/xpdf-3.02-consolidated_pl5-1.patch 2010-11-26 17:39:17 UTC
(rev 2253)
@@ -0,0 +1,1814 @@
+Submitted By: Randy McMurchy <randy_at_linuxfromscratch_dot_org>
+Date: 2010-11-26
+Initial Package Version: 3.0.2
+Upstream Status: Originated upstream
+Origin: Upstream
+Description: Fixes security holes. This patch is a consolidated
patch
+ from the pl1 to pl5 patches from upstream.
+
+
+diff -Naur xpdf-3.02-orig/fofi/FoFiType1.cc xpdf-3.02/fofi/FoFiType1.cc
+--- xpdf-3.02-orig/fofi/FoFiType1.cc 2007-02-27 22:05:51.000000000 +0000
++++ xpdf-3.02/fofi/FoFiType1.cc 2010-11-26 17:22:00.000000000 +0000
+@@ -224,7 +224,7 @@
+ code = code * 8 + (*p2 - '0');
+ }
+ }
+- if (code < 256) {
++ if (code >= 0 && code < 256) {
+ for (p = p2; *p == ' ' || *p == '\t'; ++p) ;
+ if (*p == '/') {
+ ++p;
+diff -Naur xpdf-3.02-orig/goo/gmem.cc xpdf-3.02/goo/gmem.cc
+--- xpdf-3.02-orig/goo/gmem.cc 2007-02-27 22:05:51.000000000 +0000
++++ xpdf-3.02/goo/gmem.cc 2010-11-26 17:21:26.000000000 +0000
+@@ -55,7 +55,15 @@
+ void *data;
+ unsigned long *trl, *p;
+
+- if (size <= 0) {
++ if (size < 0) {
++#if USE_EXCEPTIONS
++ throw GMemException();
++#else
++ fprintf(stderr, "Invalid memory allocation size\n");
++ exit(1);
++#endif
++ }
++ if (size == 0) {
+ return NULL;
+ }
+ size1 = gMemDataSize(size);
+@@ -91,7 +99,15 @@
+ #else
+ void *p;
+
+- if (size <= 0) {
++ if (size < 0) {
++#if USE_EXCEPTIONS
++ throw GMemException();
++#else
++ fprintf(stderr, "Invalid memory allocation size\n");
++ exit(1);
++#endif
++ }
++ if (size == 0) {
+ return NULL;
+ }
+ if (!(p = malloc(size))) {
+@@ -112,7 +128,15 @@
+ void *q;
+ int oldSize;
+
+- if (size <= 0) {
++ if (size < 0) {
++#if USE_EXCEPTIONS
++ throw GMemException();
++#else
++ fprintf(stderr, "Invalid memory allocation size\n");
++ exit(1);
++#endif
++ }
++ if (size == 0) {
+ if (p) {
+ gfree(p);
+ }
+@@ -131,7 +155,15 @@
+ #else
+ void *q;
+
+- if (size <= 0) {
++ if (size < 0) {
++#if USE_EXCEPTIONS
++ throw GMemException();
++#else
++ fprintf(stderr, "Invalid memory allocation size\n");
++ exit(1);
++#endif
++ }
++ if (size == 0) {
+ if (p) {
+ free(p);
+ }
+diff -Naur xpdf-3.02-orig/splash/Splash.cc xpdf-3.02/splash/Splash.cc
+--- xpdf-3.02-orig/splash/Splash.cc 2007-02-27 22:05:52.000000000 +0000
++++ xpdf-3.02/splash/Splash.cc 2010-11-26 17:21:44.000000000 +0000
+@@ -12,6 +12,7 @@
+
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ #include "gmem.h"
+ #include "SplashErrorCodes.h"
+ #include "SplashMath.h"
+@@ -1912,7 +1913,10 @@
+ xq = w % scaledWidth;
+
+ // allocate pixel buffer
+- pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w);
++ if (yp < 0 || yp > INT_MAX - 1) {
++ return splashErrBadArg;
++ }
++ pixBuf = (SplashColorPtr)gmallocn(yp + 1, w);
+
+ // initialize the pixel pipe
+ pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha,
+@@ -2208,9 +2212,12 @@
+ xq = w % scaledWidth;
+
+ // allocate pixel buffers
+- colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps);
++ if (yp < 0 || yp > INT_MAX - 1 || w > INT_MAX / nComps) {
++ return splashErrBadArg;
++ }
++ colorBuf = (SplashColorPtr)gmallocn(yp + 1, w * nComps);
+ if (srcAlpha) {
+- alphaBuf = (Guchar *)gmalloc((yp + 1) * w);
++ alphaBuf = (Guchar *)gmallocn(yp + 1, w);
+ } else {
+ alphaBuf = NULL;
+ }
+diff -Naur xpdf-3.02-orig/splash/SplashBitmap.cc
xpdf-3.02/splash/SplashBitmap.cc
+--- xpdf-3.02-orig/splash/SplashBitmap.cc 2007-02-27 22:05:52.000000000
+0000
++++ xpdf-3.02/splash/SplashBitmap.cc 2010-11-26 17:21:44.000000000 +0000
+@@ -11,6 +11,7 @@
+ #endif
+
+ #include <stdio.h>
++#include <limits.h>
+ #include "gmem.h"
+ #include "SplashErrorCodes.h"
+ #include "SplashBitmap.h"
+@@ -27,30 +28,48 @@
+ mode = modeA;
+ switch (mode) {
+ case splashModeMono1:
+- rowSize = (width + 7) >> 3;
++ if (width > 0) {
++ rowSize = (width + 7) >> 3;
++ } else {
++ rowSize = -1;
++ }
+ break;
+ case splashModeMono8:
+- rowSize = width;
++ if (width > 0) {
++ rowSize = width;
++ } else {
++ rowSize = -1;
++ }
+ break;
+ case splashModeRGB8:
+ case splashModeBGR8:
+- rowSize = width * 3;
++ if (width > 0 && width <= INT_MAX / 3) {
++ rowSize = width * 3;
++ } else {
++ rowSize = -1;
++ }
+ break;
+ #if SPLASH_CMYK
+ case splashModeCMYK8:
+- rowSize = width * 4;
++ if (width > 0 && width <= INT_MAX / 4) {
++ rowSize = width * 4;
++ } else {
++ rowSize = -1;
++ }
+ break;
+ #endif
+ }
+- rowSize += rowPad - 1;
+- rowSize -= rowSize % rowPad;
+- data = (SplashColorPtr)gmalloc(rowSize * height);
++ if (rowSize > 0) {
++ rowSize += rowPad - 1;
++ rowSize -= rowSize % rowPad;
++ }
++ data = (SplashColorPtr)gmallocn(height, rowSize);
+ if (!topDown) {
+ data += (height - 1) * rowSize;
+ rowSize = -rowSize;
+ }
+ if (alphaA) {
+- alpha = (Guchar *)gmalloc(width * height);
++ alpha = (Guchar *)gmallocn(width, height);
+ } else {
+ alpha = NULL;
+ }
+diff -Naur xpdf-3.02-orig/splash/SplashErrorCodes.h
xpdf-3.02/splash/SplashErrorCodes.h
+--- xpdf-3.02-orig/splash/SplashErrorCodes.h 2007-02-27 22:05:52.000000000
+0000
++++ xpdf-3.02/splash/SplashErrorCodes.h 2010-11-26 17:21:44.000000000
+0000
+@@ -29,4 +29,6 @@
+
+ #define splashErrSingularMatrix 8 // matrix is singular
+
++#define splashErrBadArg 9 // bad argument
++
+ #endif
+diff -Naur xpdf-3.02-orig/xpdf/Gfx.cc xpdf-3.02/xpdf/Gfx.cc
+--- xpdf-3.02-orig/xpdf/Gfx.cc 2007-02-27 22:05:52.000000000 +0000
++++ xpdf-3.02/xpdf/Gfx.cc 2010-11-26 17:22:00.000000000 +0000
+@@ -461,6 +461,7 @@
+ baseMatrix[i] = state->getCTM()[i];
+ }
+ formDepth = 0;
++ parser = NULL;
+ abortCheckCbk = abortCheckCbkA;
+ abortCheckCbkData = abortCheckCbkDataA;
+
+@@ -500,6 +501,7 @@
+ baseMatrix[i] = state->getCTM()[i];
+ }
+ formDepth = 0;
++ parser = NULL;
+ abortCheckCbk = abortCheckCbkA;
+ abortCheckCbkData = abortCheckCbkDataA;
+
+diff -Naur xpdf-3.02-orig/xpdf/JBIG2Stream.cc xpdf-3.02/xpdf/JBIG2Stream.cc
+--- xpdf-3.02-orig/xpdf/JBIG2Stream.cc 2007-02-27 22:05:52.000000000 +0000
++++ xpdf-3.02/xpdf/JBIG2Stream.cc 2010-11-26 17:21:26.000000000 +0000
+@@ -422,12 +422,14 @@
+ table[i] = table[len];
+
+ // assign prefixes
+- i = 0;
+- prefix = 0;
+- table[i++].prefix = prefix++;
+- for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
+- prefix <<= table[i].prefixLen - table[i-1].prefixLen;
+- table[i].prefix = prefix++;
++ if (table[0].rangeLen != jbig2HuffmanEOT) {
++ i = 0;
++ prefix = 0;
++ table[i++].prefix = prefix++;
++ for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
++ prefix <<= table[i].prefixLen - table[i-1].prefixLen;
++ table[i].prefix = prefix++;
++ }
+ }
+ }
+
+@@ -491,7 +493,7 @@
+ }
+ if (p->bits < 0) {
+ error(str->getPos(), "Bad two dim code in JBIG2 MMR stream");
+- return 0;
++ return EOF;
+ }
+ bufLen -= p->bits;
+ return p->n;
+@@ -507,7 +509,7 @@
+ ++nBytesRead;
+ }
+ while (1) {
+- if (bufLen >= 7 && ((buf >> (bufLen - 7)) & 0x7f) == 0) {
++ if (bufLen >= 11 && ((buf >> (bufLen - 7)) & 0x7f) == 0) {
+ if (bufLen <= 12) {
+ code = buf << (12 - bufLen);
+ } else {
+@@ -550,14 +552,15 @@
+ ++nBytesRead;
+ }
+ while (1) {
+- if (bufLen >= 6 && ((buf >> (bufLen - 6)) & 0x3f) == 0) {
++ if (bufLen >= 10 && ((buf >> (bufLen - 6)) & 0x3f) == 0) {
+ if (bufLen <= 13) {
+ code = buf << (13 - bufLen);
+ } else {
+ code = buf >> (bufLen - 13);
+ }
+ p = &blackTab1[code & 0x7f];
+- } else if (bufLen >= 4 && ((buf >> (bufLen - 4)) & 0x0f) == 0) {
++ } else if (bufLen >= 7 && ((buf >> (bufLen - 4)) & 0x0f) == 0 &&
++ ((buf >> (bufLen - 6)) & 0x03) != 0) {
+ if (bufLen <= 12) {
+ code = buf << (12 - bufLen);
+ } else {
+@@ -683,8 +686,9 @@
+ h = hA;
+ line = (wA + 7) >> 3;
+ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+- data = NULL;
+- return;
++ // force a call to gmalloc(-1), which will throw an exception
++ h = -1;
++ line = 2;
+ }
+ // need to allocate one extra guard byte for use in combine()
+ data = (Guchar *)gmalloc(h * line + 1);
+@@ -698,8 +702,9 @@
+ h = bitmap->h;
+ line = bitmap->line;
+ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+- data = NULL;
+- return;
++ // force a call to gmalloc(-1), which will throw an exception
++ h = -1;
++ line = 2;
+ }
+ // need to allocate one extra guard byte for use in combine()
+ data = (Guchar *)gmalloc(h * line + 1);
+@@ -754,6 +759,8 @@
+ inline void JBIG2Bitmap::getPixelPtr(int x, int y, JBIG2BitmapPtr *ptr) {
+ if (y < 0 || y >= h || x >= w) {
+ ptr->p = NULL;
++ ptr->shift = 0; // make gcc happy
++ ptr->x = 0; // make gcc happy
+ } else if (x < 0) {
+ ptr->p = &data[y * line];
+ ptr->shift = 7;
+@@ -798,6 +805,10 @@
+ Guint src0, src1, src, dest, s1, s2, m1, m2, m3;
+ GBool oneByte;
+
++ // check for the pathological case where y = -2^31
++ if (y < -0x7fffffff) {
++ return;
++ }
+ if (y < 0) {
+ y0 = -y;
+ } else {
+@@ -1011,8 +1022,13 @@
+ JBIG2SymbolDict::JBIG2SymbolDict(Guint segNumA, Guint sizeA):
+ JBIG2Segment(segNumA)
+ {
++ Guint i;
++
+ size = sizeA;
+ bitmaps = (JBIG2Bitmap **)gmallocn(size, sizeof(JBIG2Bitmap *));
++ for (i = 0; i < size; ++i) {
++ bitmaps[i] = NULL;
++ }
+ genericRegionStats = NULL;
+ refinementRegionStats = NULL;
+ }
+@@ -1021,7 +1037,9 @@
+ Guint i;
+
+ for (i = 0; i < size; ++i) {
+- delete bitmaps[i];
++ if (bitmaps[i]) {
++ delete bitmaps[i];
++ }
+ }
+ gfree(bitmaps);
+ if (genericRegionStats) {
+@@ -1296,6 +1314,13 @@
+ goto eofError2;
+ }
+
++ // check for missing page information segment
++ if (!pageBitmap && ((segType >= 4 && segType <= 7) ||
++ (segType >= 20 && segType <= 43))) {
++ error(getPos(), "First JBIG2 segment associated with a page must be a
page information segment");
++ goto syntaxError;
++ }
++
+ // read the segment data
+ switch (segType) {
+ case 0:
+@@ -1411,6 +1436,8 @@
+ Guint i, j, k;
+ Guchar *p;
+
++ symWidths = NULL;
++
+ // symbol dictionary flags
+ if (!readUWord(&flags)) {
+ goto eofError;
+@@ -1466,20 +1493,32 @@
+ codeTables = new GList();
+ numInputSyms = 0;
+ for (i = 0; i < nRefSegs; ++i) {
+- seg = findSegment(refSegs[i]);
+- if (seg->getType() == jbig2SegSymbolDict) {
+- numInputSyms += ((JBIG2SymbolDict *)seg)->getSize();
+- } else if (seg->getType() == jbig2SegCodeTable) {
+- codeTables->append(seg);
++ if ((seg = findSegment(refSegs[i]))) {
++ if (seg->getType() == jbig2SegSymbolDict) {
++ j = ((JBIG2SymbolDict *)seg)->getSize();
++ if (numInputSyms > UINT_MAX - j) {
++ error(getPos(), "Too many input symbols in JBIG2 symbol dictionary");
++ delete codeTables;
++ goto eofError;
++ }
++ numInputSyms += j;
++ } else if (seg->getType() == jbig2SegCodeTable) {
++ codeTables->append(seg);
++ }
+ }
+ }
++ if (numInputSyms > UINT_MAX - numNewSyms) {
++ error(getPos(), "Too many input symbols in JBIG2 symbol dictionary");
++ delete codeTables;
++ goto eofError;
++ }
+
+ // compute symbol code length
+- symCodeLen = 0;
+- i = 1;
+- while (i < numInputSyms + numNewSyms) {
++ symCodeLen = 1;
++ i = (numInputSyms + numNewSyms) >> 1;
++ while (i) {
+ ++symCodeLen;
+- i <<= 1;
++ i >>= 1;
+ }
+
+ // get the input symbol bitmaps
+@@ -1491,11 +1530,12 @@
+ k = 0;
+ inputSymbolDict = NULL;
+ for (i = 0; i < nRefSegs; ++i) {
+- seg = findSegment(refSegs[i]);
+- if (seg->getType() == jbig2SegSymbolDict) {
+- inputSymbolDict = (JBIG2SymbolDict *)seg;
+- for (j = 0; j < inputSymbolDict->getSize(); ++j) {
+- bitmaps[k++] = inputSymbolDict->getBitmap(j);
++ if ((seg = findSegment(refSegs[i]))) {
++ if (seg->getType() == jbig2SegSymbolDict) {
++ inputSymbolDict = (JBIG2SymbolDict *)seg;
++ for (j = 0; j < inputSymbolDict->getSize(); ++j) {
++ bitmaps[k++] = inputSymbolDict->getBitmap(j);
++ }
+ }
+ }
+ }
+@@ -1510,6 +1550,9 @@
+ } else if (huffDH == 1) {
+ huffDHTable = huffTableE;
+ } else {
++ if (i >= (Guint)codeTables->getLength()) {
++ goto codeTableError;
++ }
+ huffDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
+ }
+ if (huffDW == 0) {
+@@ -1517,17 +1560,26 @@
+ } else if (huffDW == 1) {
+ huffDWTable = huffTableC;
+ } else {
++ if (i >= (Guint)codeTables->getLength()) {
++ goto codeTableError;
++ }
+ huffDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
+ }
+ if (huffBMSize == 0) {
+ huffBMSizeTable = huffTableA;
+ } else {
++ if (i >= (Guint)codeTables->getLength()) {
++ goto codeTableError;
++ }
+ huffBMSizeTable =
+ ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
+ }
+ if (huffAggInst == 0) {
+ huffAggInstTable = huffTableA;
+ } else {
++ if (i >= (Guint)codeTables->getLength()) {
++ goto codeTableError;
++ }
+ huffAggInstTable =
+ ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
+ }
+@@ -1560,7 +1612,6 @@
+ }
+
+ // allocate symbol widths storage
+- symWidths = NULL;
+ if (huff && !refAgg) {
+ symWidths = (Guint *)gmallocn(numNewSyms, sizeof(Guint));
+ }
+@@ -1602,6 +1653,10 @@
+ goto syntaxError;
+ }
+ symWidth += dw;
++ if (i >= numNewSyms) {
++ error(getPos(), "Too many symbols in JBIG2 symbol dictionary");
++ goto syntaxError;
++ }
+
+ // using a collective bitmap, so don't read a bitmap here
+ if (huff && !refAgg) {
+@@ -1638,6 +1693,10 @@
+ arithDecoder->decodeInt(&refDX, iardxStats);
+ arithDecoder->decodeInt(&refDY, iardyStats);
+ }
++ if (symID >= numInputSyms + i) {
++ error(getPos(), "Invalid symbol ID in JBIG2 symbol dictionary");
++ goto syntaxError;
++ }
+ refBitmap = bitmaps[symID];
+ bitmaps[numInputSyms + i] =
+ readGenericRefinementRegion(symWidth, symHeight,
+@@ -1704,6 +1763,12 @@
+ } else {
+ arithDecoder->decodeInt(&run, iaexStats);
+ }
++ if (i + run > numInputSyms + numNewSyms ||
++ (ex && j + run > numExSyms)) {
++ error(getPos(), "Too many exported symbols in JBIG2 symbol dictionary");
++ delete symbolDict;
++ goto syntaxError;
++ }
+ if (ex) {
+ for (cnt = 0; cnt < run; ++cnt) {
+ symbolDict->setBitmap(j++, bitmaps[i++]->copy());
+@@ -1713,6 +1778,11 @@
+ }
+ ex = !ex;
+ }
++ if (j != numExSyms) {
++ error(getPos(), "Too few symbols in JBIG2 symbol dictionary");
++ delete symbolDict;
++ goto syntaxError;
++ }
+
+ for (i = 0; i < numNewSyms; ++i) {
+ delete bitmaps[numInputSyms + i];
+@@ -1735,6 +1805,10 @@
+
+ return gTrue;
+
++ codeTableError:
++ error(getPos(), "Missing code table in JBIG2 symbol dictionary");
++ delete codeTables;
++
+ syntaxError:
+ for (i = 0; i < numNewSyms; ++i) {
+ if (bitmaps[numInputSyms + i]) {
+@@ -1837,6 +1911,8 @@
+ }
+ } else {
+ error(getPos(), "Invalid segment reference in JBIG2 text region");
++ delete codeTables;
++ return;
+ }
+ }
+ symCodeLen = 0;
+@@ -1871,6 +1947,9 @@
+ } else if (huffFS == 1) {
+ huffFSTable = huffTableG;
+ } else {
++ if (i >= (Guint)codeTables->getLength()) {
++ goto codeTableError;
++ }
+ huffFSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
+ }
+ if (huffDS == 0) {
+@@ -1880,6 +1959,9 @@
+ } else if (huffDS == 2) {
+ huffDSTable = huffTableJ;
+ } else {
++ if (i >= (Guint)codeTables->getLength()) {
++ goto codeTableError;
++ }
+ huffDSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
+ }
+ if (huffDT == 0) {
+@@ -1889,6 +1971,9 @@
+ } else if (huffDT == 2) {
+ huffDTTable = huffTableM;
+ } else {
++ if (i >= (Guint)codeTables->getLength()) {
++ goto codeTableError;
++ }
+ huffDTTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
+ }
+ if (huffRDW == 0) {
+@@ -1896,6 +1981,9 @@
+ } else if (huffRDW == 1) {
+ huffRDWTable = huffTableO;
+ } else {
++ if (i >= (Guint)codeTables->getLength()) {
++ goto codeTableError;
++ }
+ huffRDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
+ }
+ if (huffRDH == 0) {
+@@ -1903,6 +1991,9 @@
+ } else if (huffRDH == 1) {
+ huffRDHTable = huffTableO;
+ } else {
++ if (i >= (Guint)codeTables->getLength()) {
++ goto codeTableError;
++ }
+ huffRDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
+ }
+ if (huffRDX == 0) {
+@@ -1910,6 +2001,9 @@
+ } else if (huffRDX == 1) {
+ huffRDXTable = huffTableO;
+ } else {
++ if (i >= (Guint)codeTables->getLength()) {
++ goto codeTableError;
++ }
+ huffRDXTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
+ }
+ if (huffRDY == 0) {
+@@ -1917,11 +2011,17 @@
+ } else if (huffRDY == 1) {
+ huffRDYTable = huffTableO;
+ } else {
++ if (i >= (Guint)codeTables->getLength()) {
++ goto codeTableError;
++ }
+ huffRDYTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
+ }
+ if (huffRSize == 0) {
+ huffRSizeTable = huffTableA;
+ } else {
++ if (i >= (Guint)codeTables->getLength()) {
++ goto codeTableError;
++ }
+ huffRSizeTable =
+ ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
+ }
+@@ -2016,8 +2116,15 @@
+
+ return;
+
++ codeTableError:
++ error(getPos(), "Missing code table in JBIG2 text region");
++ gfree(codeTables);
++ delete syms;
++ return;
++
+ eofError:
+ error(getPos(), "Unexpected EOF in JBIG2 stream");
++ return;
+ }
+
+ JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine,
+@@ -2324,8 +2431,8 @@
+ error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone
segment");
+ return;
+ }
+- seg = findSegment(refSegs[0]);
+- if (seg->getType() != jbig2SegPatternDict) {
++ if (!(seg = findSegment(refSegs[0])) ||
++ seg->getType() != jbig2SegPatternDict) {
+ error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone
segment");
+ return;
+ }
+@@ -2483,7 +2590,7 @@
+
+ // read the bitmap
+ bitmap = readGenericBitmap(mmr, w, h, templ, tpgdOn, gFalse,
+- NULL, atx, aty, mmr ? 0 : length - 18);
++ NULL, atx, aty, mmr ? length - 18 : 0);
+
+ // combine the region bitmap into the page bitmap
+ if (imm) {
+@@ -2505,6 +2612,43 @@
+ error(getPos(), "Unexpected EOF in JBIG2 stream");
+ }
+
++inline void JBIG2Stream::mmrAddPixels(int a1, int blackPixels,
++ int *codingLine, int *a0i, int w) {
++ if (a1 > codingLine[*a0i]) {
++ if (a1 > w) {
++ error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1);
++ a1 = w;
++ }
++ if ((*a0i & 1) ^ blackPixels) {
++ ++*a0i;
++ }
++ codingLine[*a0i] = a1;
++ }
++}
++
++inline void JBIG2Stream::mmrAddPixelsNeg(int a1, int blackPixels,
++ int *codingLine, int *a0i, int w) {
++ if (a1 > codingLine[*a0i]) {
++ if (a1 > w) {
++ error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1);
++ a1 = w;
++ }
++ if ((*a0i & 1) ^ blackPixels) {
++ ++*a0i;
++ }
++ codingLine[*a0i] = a1;
++ } else if (a1 < codingLine[*a0i]) {
++ if (a1 < 0) {
++ error(getPos(), "Invalid JBIG2 MMR code");
++ a1 = 0;
++ }
++ while (*a0i > 0 && a1 <= codingLine[*a0i - 1]) {
++ --*a0i;
++ }
++ codingLine[*a0i] = a1;
++ }
++}
++
+ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h,
+ int templ, GBool tpgdOn,
+ GBool useSkip, JBIG2Bitmap *skip,
+@@ -2517,7 +2661,7 @@
+ JBIG2BitmapPtr atPtr0, atPtr1, atPtr2, atPtr3;
+ int *refLine, *codingLine;
+ int code1, code2, code3;
+- int x, y, a0, pix, i, refI, codingI;
++ int x, y, a0i, b1i, blackPixels, pix, i;
+
+ bitmap = new JBIG2Bitmap(0, w, h);
+ bitmap->clearToZero();
+@@ -2527,9 +2671,18 @@
+ if (mmr) {
+
+ mmrDecoder->reset();
++ if (w > INT_MAX - 2) {
++ error(getPos(), "Bad width in JBIG2 generic bitmap");
++ // force a call to gmalloc(-1), which will throw an exception
++ w = -3;
++ }
++ // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = w
++ // ---> max codingLine size = w + 1
++ // refLine has one extra guard entry at the end
++ // ---> max refLine size = w + 2
++ codingLine = (int *)gmallocn(w + 1, sizeof(int));
+ refLine = (int *)gmallocn(w + 2, sizeof(int));
+- codingLine = (int *)gmallocn(w + 2, sizeof(int));
+- codingLine[0] = codingLine[1] = w;
++ codingLine[0] = w;
+
+ for (y = 0; y < h; ++y) {
+
+@@ -2537,128 +2690,157 @@
+ for (i = 0; codingLine[i] < w; ++i) {
+ refLine[i] = codingLine[i];
+ }
+- refLine[i] = refLine[i + 1] = w;
++ refLine[i++] = w;
++ refLine[i] = w;
+
+ // decode a line
+- refI = 0; // b1 = refLine[refI]
+- codingI = 0; // a1 = codingLine[codingI]
+- a0 = 0;
+- do {
++ codingLine[0] = 0;
++ a0i = 0;
++ b1i = 0;
++ blackPixels = 0;
++ // invariant:
++ // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1] <=
w
++ // exception at left edge:
++ // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible
++ // exception at right edge:
++ // refLine[b1i] = refLine[b1i+1] = w is possible
++ while (codingLine[a0i] < w) {
+ code1 = mmrDecoder->get2DCode();
+ switch (code1) {
+ case twoDimPass:
+- if (refLine[refI] < w) {
+- a0 = refLine[refI + 1];
+- refI += 2;
+- }
+- break;
++ mmrAddPixels(refLine[b1i + 1], blackPixels, codingLine, &a0i, w);
++ if (refLine[b1i + 1] < w) {
++ b1i += 2;
++ }
++ break;
+ case twoDimHoriz:
+- if (codingI & 1) {
+- code1 = 0;
+- do {
+- code1 += code3 = mmrDecoder->getBlackCode();
+- } while (code3 >= 64);
+- code2 = 0;
+- do {
+- code2 += code3 = mmrDecoder->getWhiteCode();
+- } while (code3 >= 64);
+- } else {
+- code1 = 0;
+- do {
+- code1 += code3 = mmrDecoder->getWhiteCode();
+- } while (code3 >= 64);
+- code2 = 0;
+- do {
+- code2 += code3 = mmrDecoder->getBlackCode();
+- } while (code3 >= 64);
+- }
+- if (code1 > 0 || code2 > 0) {
+- a0 = codingLine[codingI++] = a0 + code1;
+- a0 = codingLine[codingI++] = a0 + code2;
+- while (refLine[refI] <= a0 && refLine[refI] < w) {
+- refI += 2;
+- }
+- }
+- break;
+- case twoDimVert0:
+- a0 = codingLine[codingI++] = refLine[refI];
+- if (refLine[refI] < w) {
+- ++refI;
+- }
+- break;
+- case twoDimVertR1:
+- a0 = codingLine[codingI++] = refLine[refI] + 1;
+- if (refLine[refI] < w) {
+- ++refI;
+- while (refLine[refI] <= a0 && refLine[refI] < w) {
+- refI += 2;
+- }
+- }
+- break;
+- case twoDimVertR2:
+- a0 = codingLine[codingI++] = refLine[refI] + 2;
+- if (refLine[refI] < w) {
+- ++refI;
+- while (refLine[refI] <= a0 && refLine[refI] < w) {
+- refI += 2;
+- }
+- }
+- break;
++ code1 = code2 = 0;
++ if (blackPixels) {
++ do {
++ code1 += code3 = mmrDecoder->getBlackCode();
++ } while (code3 >= 64);
++ do {
++ code2 += code3 = mmrDecoder->getWhiteCode();
++ } while (code3 >= 64);
++ } else {
++ do {
++ code1 += code3 = mmrDecoder->getWhiteCode();
++ } while (code3 >= 64);
++ do {
++ code2 += code3 = mmrDecoder->getBlackCode();
++ } while (code3 >= 64);
++ }
++ mmrAddPixels(codingLine[a0i] + code1, blackPixels,
++ codingLine, &a0i, w);
++ if (codingLine[a0i] < w) {
++ mmrAddPixels(codingLine[a0i] + code2, blackPixels ^ 1,
++ codingLine, &a0i, w);
++ }
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
++ b1i += 2;
++ }
++ break;
+ case twoDimVertR3:
+- a0 = codingLine[codingI++] = refLine[refI] + 3;
+- if (refLine[refI] < w) {
+- ++refI;
+- while (refLine[refI] <= a0 && refLine[refI] < w) {
+- refI += 2;
+- }
+- }
+- break;
+- case twoDimVertL1:
+- a0 = codingLine[codingI++] = refLine[refI] - 1;
+- if (refI > 0) {
+- --refI;
+- } else {
+- ++refI;
+- }
+- while (refLine[refI] <= a0 && refLine[refI] < w) {
+- refI += 2;
+- }
+- break;
+- case twoDimVertL2:
+- a0 = codingLine[codingI++] = refLine[refI] - 2;
+- if (refI > 0) {
+- --refI;
+- } else {
+- ++refI;
+- }
+- while (refLine[refI] <= a0 && refLine[refI] < w) {
+- refI += 2;
+- }
+- break;
++ mmrAddPixels(refLine[b1i] + 3, blackPixels, codingLine, &a0i, w);
++ blackPixels ^= 1;
++ if (codingLine[a0i] < w) {
++ ++b1i;
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
++ b1i += 2;
++ }
++ }
++ break;
++ case twoDimVertR2:
++ mmrAddPixels(refLine[b1i] + 2, blackPixels, codingLine, &a0i, w);
++ blackPixels ^= 1;
++ if (codingLine[a0i] < w) {
++ ++b1i;
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
++ b1i += 2;
++ }
++ }
++ break;
++ case twoDimVertR1:
++ mmrAddPixels(refLine[b1i] + 1, blackPixels, codingLine, &a0i, w);
++ blackPixels ^= 1;
++ if (codingLine[a0i] < w) {
++ ++b1i;
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
++ b1i += 2;
++ }
++ }
++ break;
++ case twoDimVert0:
++ mmrAddPixels(refLine[b1i], blackPixels, codingLine, &a0i, w);
++ blackPixels ^= 1;
++ if (codingLine[a0i] < w) {
++ ++b1i;
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
++ b1i += 2;
++ }
++ }
++ break;
+ case twoDimVertL3:
+- a0 = codingLine[codingI++] = refLine[refI] - 3;
+- if (refI > 0) {
+- --refI;
+- } else {
+- ++refI;
+- }
+- while (refLine[refI] <= a0 && refLine[refI] < w) {
+- refI += 2;
+- }
+- break;
++ mmrAddPixelsNeg(refLine[b1i] - 3, blackPixels, codingLine, &a0i, w);
++ blackPixels ^= 1;
++ if (codingLine[a0i] < w) {
++ if (b1i > 0) {
++ --b1i;
++ } else {
++ ++b1i;
++ }
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
++ b1i += 2;
++ }
++ }
++ break;
++ case twoDimVertL2:
++ mmrAddPixelsNeg(refLine[b1i] - 2, blackPixels, codingLine, &a0i, w);
++ blackPixels ^= 1;
++ if (codingLine[a0i] < w) {
++ if (b1i > 0) {
++ --b1i;
++ } else {
++ ++b1i;
++ }
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
++ b1i += 2;
++ }
++ }
++ break;
++ case twoDimVertL1:
++ mmrAddPixelsNeg(refLine[b1i] - 1, blackPixels, codingLine, &a0i, w);
++ blackPixels ^= 1;
++ if (codingLine[a0i] < w) {
++ if (b1i > 0) {
++ --b1i;
++ } else {
++ ++b1i;
++ }
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
++ b1i += 2;
++ }
++ }
++ break;
++ case EOF:
++ mmrAddPixels(w, 0, codingLine, &a0i, w);
++ break;
+ default:
+ error(getPos(), "Illegal code in JBIG2 MMR bitmap data");
++ mmrAddPixels(w, 0, codingLine, &a0i, w);
+ break;
+ }
+- } while (a0 < w);
+- codingLine[codingI++] = w;
++ }
+
+ // convert the run lengths to a bitmap line
+ i = 0;
+- while (codingLine[i] < w) {
++ while (1) {
+ for (x = codingLine[i]; x < codingLine[i+1]; ++x) {
+ bitmap->setPixel(x, y);
+ }
++ if (codingLine[i+1] >= w || codingLine[i+2] >= w) {
++ break;
++ }
+ i += 2;
+ }
+ }
+@@ -2706,7 +2888,9 @@
+ ltp = !ltp;
+ }
+ if (ltp) {
+- bitmap->duplicateRow(y, y-1);
++ if (y > 0) {
++ bitmap->duplicateRow(y, y-1);
++ }
+ continue;
+ }
+ }
+@@ -2909,8 +3093,8 @@
+ return;
+ }
+ if (nRefSegs == 1) {
+- seg = findSegment(refSegs[0]);
+- if (seg->getType() != jbig2SegBitmap) {
++ if (!(seg = findSegment(refSegs[0])) ||
++ seg->getType() != jbig2SegBitmap) {
+ error(getPos(), "Bad bitmap reference in JBIG2 generic refinement
segment");
+ return;
+ }
+@@ -3004,6 +3188,10 @@
+ tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2);
+ tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
+ tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
++ } else {
++ tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy
++ tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0;
++ tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0;
+ }
+
+ for (x = 0; x < w; ++x) {
+@@ -3075,6 +3263,10 @@
+ tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2);
+ tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
+ tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
++ } else {
++ tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy
++ tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0;
++ tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0;
+ }
+
+ for (x = 0; x < w; ++x) {
+diff -Naur xpdf-3.02-orig/xpdf/JBIG2Stream.h xpdf-3.02/xpdf/JBIG2Stream.h
+--- xpdf-3.02-orig/xpdf/JBIG2Stream.h 2007-02-27 22:05:52.000000000 +0000
++++ xpdf-3.02/xpdf/JBIG2Stream.h 2010-11-26 17:21:26.000000000 +0000
+@@ -78,6 +78,10 @@
+ Guint *refSegs, Guint nRefSegs);
+ void readGenericRegionSeg(Guint segNum, GBool imm,
+ GBool lossless, Guint length);
++ void mmrAddPixels(int a1, int blackPixels,
++ int *codingLine, int *a0i, int w);
++ void mmrAddPixelsNeg(int a1, int blackPixels,
++ int *codingLine, int *a0i, int w);
+ JBIG2Bitmap *readGenericBitmap(GBool mmr, int w, int h,
+ int templ, GBool tpgdOn,
+ GBool useSkip, JBIG2Bitmap *skip,
+diff -Naur xpdf-3.02-orig/xpdf/PSOutputDev.cc xpdf-3.02/xpdf/PSOutputDev.cc
+--- xpdf-3.02-orig/xpdf/PSOutputDev.cc 2007-02-27 22:05:52.000000000 +0000
++++ xpdf-3.02/xpdf/PSOutputDev.cc 2010-11-26 17:21:44.000000000 +0000
+@@ -4301,7 +4301,7 @@
+ width, -height, height);
+
+ // allocate a line buffer
+- lineBuf = (Guchar *)gmalloc(4 * width);
++ lineBuf = (Guchar *)gmallocn(width, 4);
+
+ // set up to process the data stream
+ imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(),
+diff -Naur xpdf-3.02-orig/xpdf/Stream.cc xpdf-3.02/xpdf/Stream.cc
+--- xpdf-3.02-orig/xpdf/Stream.cc 2007-02-27 22:05:52.000000000 +0000
++++ xpdf-3.02/xpdf/Stream.cc 2010-11-26 17:21:44.000000000 +0000
+@@ -323,6 +323,10 @@
+ } else {
+ imgLineSize = nVals;
+ }
++ if (width > INT_MAX / nComps) {
++ // force a call to gmallocn(-1,...), which will throw an exception
++ imgLineSize = -1;
++ }
+ imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
+ imgIdx = nVals;
+ }
+@@ -410,15 +414,13 @@
+ ok = gFalse;
+
+ nVals = width * nComps;
+- if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+- nComps >= INT_MAX / nBits ||
+- width >= INT_MAX / nComps / nBits ||
+- nVals * nBits + 7 < 0) {
+- return;
+- }
+ pixBytes = (nComps * nBits + 7) >> 3;
+ rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+- if (rowBytes <= 0) {
++ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
++ nComps > gfxColorMaxComps ||
++ nBits > 16 ||
++ width >= INT_MAX / nComps || // check for overflow in nVals
++ nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes
+ return;
+ }
+ predLine = (Guchar *)gmalloc(rowBytes);
+@@ -1245,23 +1247,26 @@
+ columns = columnsA;
+ if (columns < 1) {
+ columns = 1;
+- }
+- if (columns + 4 <= 0) {
+- columns = INT_MAX - 4;
++ } else if (columns > INT_MAX - 2) {
++ columns = INT_MAX - 2;
+ }
+ rows = rowsA;
+ endOfBlock = endOfBlockA;
+ black = blackA;
+- refLine = (short *)gmallocn(columns + 3, sizeof(short));
+- codingLine = (short *)gmallocn(columns + 2, sizeof(short));
++ // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = columns
++ // ---> max codingLine size = columns + 1
++ // refLine has one extra guard entry at the end
++ // ---> max refLine size = columns + 2
++ codingLine = (int *)gmallocn(columns + 1, sizeof(int));
++ refLine = (int *)gmallocn(columns + 2, sizeof(int));
+
+ eof = gFalse;
+ row = 0;
+ nextLine2D = encoding < 0;
+ inputBits = 0;
+- codingLine[0] = 0;
+- codingLine[1] = refLine[2] = columns;
+- a0 = 1;
++ codingLine[0] = columns;
++ a0i = 0;
++ outputBits = 0;
+
+ buf = EOF;
+ }
+@@ -1280,9 +1285,9 @@
+ row = 0;
+ nextLine2D = encoding < 0;
+ inputBits = 0;
+- codingLine[0] = 0;
+- codingLine[1] = columns;
+- a0 = 1;
++ codingLine[0] = columns;
++ a0i = 0;
++ outputBits = 0;
+ buf = EOF;
+
+ // skip any initial zero bits and end-of-line marker, and get the 2D
+@@ -1299,211 +1304,230 @@
+ }
+ }
+
++inline void CCITTFaxStream::addPixels(int a1, int blackPixels) {
++ if (a1 > codingLine[a0i]) {
++ if (a1 > columns) {
++ error(getPos(), "CCITTFax row is wrong length (%d)", a1);
++ err = gTrue;
++ a1 = columns;
++ }
++ if ((a0i & 1) ^ blackPixels) {
++ ++a0i;
++ }
++ codingLine[a0i] = a1;
++ }
++}
++
++inline void CCITTFaxStream::addPixelsNeg(int a1, int blackPixels) {
++ if (a1 > codingLine[a0i]) {
++ if (a1 > columns) {
++ error(getPos(), "CCITTFax row is wrong length (%d)", a1);
++ err = gTrue;
++ a1 = columns;
++ }
++ if ((a0i & 1) ^ blackPixels) {
++ ++a0i;
++ }
++ codingLine[a0i] = a1;
++ } else if (a1 < codingLine[a0i]) {
++ if (a1 < 0) {
++ error(getPos(), "Invalid CCITTFax code");
++ err = gTrue;
++ a1 = 0;
++ }
++ while (a0i > 0 && a1 <= codingLine[a0i - 1]) {
++ --a0i;
++ }
++ codingLine[a0i] = a1;
++ }
++}
++
+ int CCITTFaxStream::lookChar() {
+ short code1, code2, code3;
+- int a0New;
+- GBool err, gotEOL;
+- int ret;
+- int bits, i;
++ int b1i, blackPixels, i, bits;
++ GBool gotEOL;
+
+- // if at eof just return EOF
+- if (eof && codingLine[a0] >= columns) {
+- return EOF;
++ if (buf != EOF) {
++ return buf;
+ }
+
+ // read the next row
+- err = gFalse;
+- if (codingLine[a0] >= columns) {
++ if (outputBits == 0) {
++
++ // if at eof just return EOF
++ if (eof) {
++ return EOF;
++ }
++
++ err = gFalse;
+
+ // 2-D encoding
+ if (nextLine2D) {
+- // state:
+- // a0New = current position in coding line (0 <= a0New <= columns)
+- // codingLine[a0] = last change in coding line
+- // (black-to-white if a0 is even,
+- // white-to-black if a0 is odd)
+- // refLine[b1] = next change in reference line of opposite color
+- // to a0
+- // invariants:
+- // 0 <= codingLine[a0] <= a0New
+- // <= refLine[b1] <= refLine[b1+1] <= columns
+- // 0 <= a0 <= columns+1
+- // refLine[0] = 0
+- // refLine[n] = refLine[n+1] = columns
+- // -- for some 1 <= n <= columns+1
+- // end condition:
+- // 0 = codingLine[0] <= codingLine[1] < codingLine[2] < ...
+- // < codingLine[n-1] < codingLine[n] = columns
+- // -- where 1 <= n <= columns+1
+ for (i = 0; codingLine[i] < columns; ++i) {
+ refLine[i] = codingLine[i];
+ }
+- refLine[i] = refLine[i + 1] = columns;
+- b1 = 1;
+- a0New = codingLine[a0 = 0] = 0;
+- do {
++ refLine[i++] = columns;
++ refLine[i] = columns;
++ codingLine[0] = 0;
++ a0i = 0;
++ b1i = 0;
++ blackPixels = 0;
++ // invariant:
++ // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1]
++ // <=
columns
++ // exception at left edge:
++ // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible
++ // exception at right edge:
++ // refLine[b1i] = refLine[b1i+1] = columns is possible
++ while (codingLine[a0i] < columns) {
+ code1 = getTwoDimCode();
+ switch (code1) {
+ case twoDimPass:
+- if (refLine[b1] < columns) {
+- a0New = refLine[b1 + 1];
+- b1 += 2;
++ addPixels(refLine[b1i + 1], blackPixels);
++ if (refLine[b1i + 1] < columns) {
++ b1i += 2;
+ }
+ break;
+ case twoDimHoriz:
+- if ((a0 & 1) == 0) {
+- code1 = code2 = 0;
++ code1 = code2 = 0;
++ if (blackPixels) {
+ do {
+- code1 += code3 = getWhiteCode();
++ code1 += code3 = getBlackCode();
+ } while (code3 >= 64);
+ do {
+- code2 += code3 = getBlackCode();
++ code2 += code3 = getWhiteCode();
+ } while (code3 >= 64);
+ } else {
+- code1 = code2 = 0;
+ do {
+- code1 += code3 = getBlackCode();
++ code1 += code3 = getWhiteCode();
+ } while (code3 >= 64);
+ do {
+- code2 += code3 = getWhiteCode();
++ code2 += code3 = getBlackCode();
+ } while (code3 >= 64);
+ }
+- if (code1 > 0 || code2 > 0) {
+- if (a0New + code1 <= columns) {
+- codingLine[a0 + 1] = a0New + code1;
+- } else {
+- codingLine[a0 + 1] = columns;
+- }
+- ++a0;
+- if (codingLine[a0] + code2 <= columns) {
+- codingLine[a0 + 1] = codingLine[a0] + code2;
+- } else {
+- codingLine[a0 + 1] = columns;
+- }
+- ++a0;
+- a0New = codingLine[a0];
+- while (refLine[b1] <= a0New && refLine[b1] < columns) {
+- b1 += 2;
++ addPixels(codingLine[a0i] + code1, blackPixels);
++ if (codingLine[a0i] < columns) {
++ addPixels(codingLine[a0i] + code2, blackPixels ^ 1);
++ }
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ b1i += 2;
++ }
++ break;
++ case twoDimVertR3:
++ addPixels(refLine[b1i] + 3, blackPixels);
++ blackPixels ^= 1;
++ if (codingLine[a0i] < columns) {
++ ++b1i;
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ b1i += 2;
+ }
+ }
+ break;
+- case twoDimVert0:
+- if (refLine[b1] < columns) {
+- a0New = codingLine[++a0] = refLine[b1];
+- ++b1;
+- while (refLine[b1] <= a0New && refLine[b1] < columns) {
+- b1 += 2;
++ case twoDimVertR2:
++ addPixels(refLine[b1i] + 2, blackPixels);
++ blackPixels ^= 1;
++ if (codingLine[a0i] < columns) {
++ ++b1i;
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ b1i += 2;
+ }
+- } else {
+- a0New = codingLine[++a0] = columns;
+ }
+ break;
+ case twoDimVertR1:
+- if (refLine[b1] + 1 < columns) {
+- a0New = codingLine[++a0] = refLine[b1] + 1;
+- ++b1;
+- while (refLine[b1] <= a0New && refLine[b1] < columns) {
+- b1 += 2;
++ addPixels(refLine[b1i] + 1, blackPixels);
++ blackPixels ^= 1;
++ if (codingLine[a0i] < columns) {
++ ++b1i;
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ b1i += 2;
+ }
+- } else {
+- a0New = codingLine[++a0] = columns;
+ }
+ break;
+- case twoDimVertL1:
+- if (refLine[b1] - 1 > a0New || (a0 == 0 && refLine[b1] == 1)) {
+- a0New = codingLine[++a0] = refLine[b1] - 1;
+- --b1;
+- while (refLine[b1] <= a0New && refLine[b1] < columns) {
+- b1 += 2;
++ case twoDimVert0:
++ addPixels(refLine[b1i], blackPixels);
++ blackPixels ^= 1;
++ if (codingLine[a0i] < columns) {
++ ++b1i;
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ b1i += 2;
+ }
+ }
+ break;
+- case twoDimVertR2:
+- if (refLine[b1] + 2 < columns) {
+- a0New = codingLine[++a0] = refLine[b1] + 2;
+- ++b1;
+- while (refLine[b1] <= a0New && refLine[b1] < columns) {
+- b1 += 2;
++ case twoDimVertL3:
++ addPixelsNeg(refLine[b1i] - 3, blackPixels);
++ blackPixels ^= 1;
++ if (codingLine[a0i] < columns) {
++ if (b1i > 0) {
++ --b1i;
++ } else {
++ ++b1i;
++ }
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ b1i += 2;
+ }
+- } else {
+- a0New = codingLine[++a0] = columns;
+ }
+ break;
+ case twoDimVertL2:
+- if (refLine[b1] - 2 > a0New || (a0 == 0 && refLine[b1] == 2)) {
+- a0New = codingLine[++a0] = refLine[b1] - 2;
+- --b1;
+- while (refLine[b1] <= a0New && refLine[b1] < columns) {
+- b1 += 2;
++ addPixelsNeg(refLine[b1i] - 2, blackPixels);
++ blackPixels ^= 1;
++ if (codingLine[a0i] < columns) {
++ if (b1i > 0) {
++ --b1i;
++ } else {
++ ++b1i;
+ }
+- }
+- break;
+- case twoDimVertR3:
+- if (refLine[b1] + 3 < columns) {
+- a0New = codingLine[++a0] = refLine[b1] + 3;
+- ++b1;
+- while (refLine[b1] <= a0New && refLine[b1] < columns) {
+- b1 += 2;
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ b1i += 2;
+ }
+- } else {
+- a0New = codingLine[++a0] = columns;
+ }
+ break;
+- case twoDimVertL3:
+- if (refLine[b1] - 3 > a0New || (a0 == 0 && refLine[b1] == 3)) {
+- a0New = codingLine[++a0] = refLine[b1] - 3;
+- --b1;
+- while (refLine[b1] <= a0New && refLine[b1] < columns) {
+- b1 += 2;
++ case twoDimVertL1:
++ addPixelsNeg(refLine[b1i] - 1, blackPixels);
++ blackPixels ^= 1;
++ if (codingLine[a0i] < columns) {
++ if (b1i > 0) {
++ --b1i;
++ } else {
++ ++b1i;
++ }
++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ b1i += 2;
+ }
+ }
+ break;
+ case EOF:
++ addPixels(columns, 0);
+ eof = gTrue;
+- codingLine[a0 = 0] = columns;
+- return EOF;
++ break;
+ default:
+ error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1);
++ addPixels(columns, 0);
+ err = gTrue;
+ break;
+ }
+- } while (codingLine[a0] < columns);
++ }
+
+ // 1-D encoding
+ } else {
+- codingLine[a0 = 0] = 0;
+- while (1) {
++ codingLine[0] = 0;
++ a0i = 0;
++ blackPixels = 0;
++ while (codingLine[a0i] < columns) {
+ code1 = 0;
+- do {
+- code1 += code3 = getWhiteCode();
+- } while (code3 >= 64);
+- codingLine[a0+1] = codingLine[a0] + code1;
+- ++a0;
+- if (codingLine[a0] >= columns) {
+- break;
+- }
+- code2 = 0;
+- do {
+- code2 += code3 = getBlackCode();
+- } while (code3 >= 64);
+- codingLine[a0+1] = codingLine[a0] + code2;
+- ++a0;
+- if (codingLine[a0] >= columns) {
+- break;
++ if (blackPixels) {
++ do {
++ code1 += code3 = getBlackCode();
++ } while (code3 >= 64);
++ } else {
++ do {
++ code1 += code3 = getWhiteCode();
++ } while (code3 >= 64);
+ }
++ addPixels(codingLine[a0i] + code1, blackPixels);
++ blackPixels ^= 1;
+ }
+ }
+
+- if (codingLine[a0] != columns) {
+- error(getPos(), "CCITTFax row is wrong length (%d)", codingLine[a0]);
+- // force the row to be the correct length
+- while (codingLine[a0] > columns) {
+- --a0;
+- }
+- codingLine[++a0] = columns;
+- err = gTrue;
+- }
+-
+ // byte-align the row
+ if (byteAlign) {
+ inputBits &= ~7;
+@@ -1562,14 +1586,17 @@
+ // this if we know the stream contains end-of-line markers because
+ // the "just plow on" technique tends to work better otherwise
+ } else if (err && endOfLine) {
+- do {
++ while (1) {
++ code1 = lookBits(13);
+ if (code1 == EOF) {
+ eof = gTrue;
+ return EOF;
+ }
++ if ((code1 >> 1) == 0x001) {
++ break;
++ }
+ eatBits(1);
+- code1 = lookBits(13);
+- } while ((code1 >> 1) != 0x001);
++ }
+ eatBits(12);
+ if (encoding > 0) {
+ eatBits(1);
+@@ -1577,11 +1604,11 @@
+ }
+ }
+
+- a0 = 0;
+- outputBits = codingLine[1] - codingLine[0];
+- if (outputBits == 0) {
+- a0 = 1;
+- outputBits = codingLine[2] - codingLine[1];
++ // set up for output
++ if (codingLine[0] > 0) {
++ outputBits = codingLine[a0i = 0];
++ } else {
++ outputBits = codingLine[a0i = 1];
+ }
+
+ ++row;
+@@ -1589,39 +1616,43 @@
+
+ // get a byte
+ if (outputBits >= 8) {
+- ret = ((a0 & 1) == 0) ? 0xff : 0x00;
+- if ((outputBits -= 8) == 0) {
+- ++a0;
+- if (codingLine[a0] < columns) {
+- outputBits = codingLine[a0 + 1] - codingLine[a0];
+- }
++ buf = (a0i & 1) ? 0x00 : 0xff;
++ outputBits -= 8;
++ if (outputBits == 0 && codingLine[a0i] < columns) {
++ ++a0i;
++ outputBits = codingLine[a0i] - codingLine[a0i - 1];
+ }
+ } else {
+ bits = 8;
+- ret = 0;
++ buf = 0;
+ do {
+ if (outputBits > bits) {
+- i = bits;
+- bits = 0;
+- if ((a0 & 1) == 0) {
+- ret |= 0xff >> (8 - i);
++ buf <<= bits;
++ if (!(a0i & 1)) {
++ buf |= 0xff >> (8 - bits);
+ }
+- outputBits -= i;
++ outputBits -= bits;
++ bits = 0;
+ } else {
+- i = outputBits;
+- bits -= outputBits;
+- if ((a0 & 1) == 0) {
+- ret |= (0xff >> (8 - i)) << bits;
++ buf <<= outputBits;
++ if (!(a0i & 1)) {
++ buf |= 0xff >> (8 - outputBits);
+ }
++ bits -= outputBits;
+ outputBits = 0;
+- ++a0;
+- if (codingLine[a0] < columns) {
+- outputBits = codingLine[a0 + 1] - codingLine[a0];
++ if (codingLine[a0i] < columns) {
++ ++a0i;
++ outputBits = codingLine[a0i] - codingLine[a0i - 1];
++ } else if (bits > 0) {
++ buf <<= bits;
++ bits = 0;
+ }
+ }
+- } while (bits > 0 && codingLine[a0] < columns);
++ } while (bits);
++ }
++ if (black) {
++ buf ^= 0xff;
+ }
+- buf = black ? (ret ^ 0xff) : ret;
+ return buf;
+ }
+
+@@ -1663,6 +1694,9 @@
+ code = 0; // make gcc happy
+ if (endOfBlock) {
+ code = lookBits(12);
++ if (code == EOF) {
++ return 1;
++ }
+ if ((code >> 5) == 0) {
+ p = &whiteTab1[code];
+ } else {
+@@ -1675,6 +1709,9 @@
+ } else {
+ for (n = 1; n <= 9; ++n) {
+ code = lookBits(n);
++ if (code == EOF) {
++ return 1;
++ }
+ if (n < 9) {
+ code <<= 9 - n;
+ }
+@@ -1686,6 +1723,9 @@
+ }
+ for (n = 11; n <= 12; ++n) {
+ code = lookBits(n);
++ if (code == EOF) {
++ return 1;
++ }
+ if (n < 12) {
+ code <<= 12 - n;
+ }
+@@ -1711,9 +1751,12 @@
+ code = 0; // make gcc happy
+ if (endOfBlock) {
+ code = lookBits(13);
++ if (code == EOF) {
++ return 1;
++ }
+ if ((code >> 7) == 0) {
+ p = &blackTab1[code];
+- } else if ((code >> 9) == 0) {
++ } else if ((code >> 9) == 0 && (code >> 7) != 0) {
+ p = &blackTab2[(code >> 1) - 64];
+ } else {
+ p = &blackTab3[code >> 7];
+@@ -1725,6 +1768,9 @@
+ } else {
+ for (n = 2; n <= 6; ++n) {
+ code = lookBits(n);
++ if (code == EOF) {
++ return 1;
++ }
+ if (n < 6) {
+ code <<= 6 - n;
+ }
+@@ -1736,6 +1782,9 @@
+ }
+ for (n = 7; n <= 12; ++n) {
+ code = lookBits(n);
++ if (code == EOF) {
++ return 1;
++ }
+ if (n < 12) {
+ code <<= 12 - n;
+ }
+@@ -1749,6 +1798,9 @@
+ }
+ for (n = 10; n <= 13; ++n) {
+ code = lookBits(n);
++ if (code == EOF) {
++ return 1;
++ }
+ if (n < 13) {
+ code <<= 13 - n;
+ }
+@@ -1963,6 +2015,12 @@
+ // allocate a buffer for the whole image
+ bufWidth = ((width + mcuWidth - 1) / mcuWidth) * mcuWidth;
+ bufHeight = ((height + mcuHeight - 1) / mcuHeight) * mcuHeight;
++ if (bufWidth <= 0 || bufHeight <= 0 ||
++ bufWidth > INT_MAX / bufWidth / (int)sizeof(int)) {
++ error(getPos(), "Invalid image size in DCT stream");
++ y = height;
++ return;
++ }
+ for (i = 0; i < numComps; ++i) {
+ frameBuf[i] = (int *)gmallocn(bufWidth * bufHeight, sizeof(int));
+ memset(frameBuf[i], 0, bufWidth * bufHeight * sizeof(int));
+@@ -3038,6 +3096,11 @@
+ }
+ scanInfo.firstCoeff = str->getChar();
+ scanInfo.lastCoeff = str->getChar();
++ if (scanInfo.firstCoeff < 0 || scanInfo.lastCoeff > 63 ||
++ scanInfo.firstCoeff > scanInfo.lastCoeff) {
++ error(getPos(), "Bad DCT coefficient numbers in scan info block");
++ return gFalse;
++ }
+ c = str->getChar();
+ scanInfo.ah = (c >> 4) & 0x0f;
+ scanInfo.al = c & 0x0f;
+diff -Naur xpdf-3.02-orig/xpdf/Stream.h xpdf-3.02/xpdf/Stream.h
+--- xpdf-3.02-orig/xpdf/Stream.h 2007-02-27 22:05:52.000000000 +0000
++++ xpdf-3.02/xpdf/Stream.h 2010-11-26 17:21:04.000000000 +0000
+@@ -528,13 +528,15 @@
+ int row; // current row
+ int inputBuf; // input buffer
+ int inputBits; // number of bits in input buffer
+- short *refLine; // reference line changing elements
+- int b1; // index into refLine
+- short *codingLine; // coding line changing elements
+- int a0; // index into codingLine
++ int *codingLine; // coding line changing elements
++ int *refLine; // reference line changing elements
++ int a0i; // index into codingLine
++ GBool err; // error on current line
+ int outputBits; // remaining ouput bits
+ int buf; // character buffer
+
++ void addPixels(int a1, int black);
++ void addPixelsNeg(int a1, int black);
+ short getTwoDimCode();
+ short getWhiteCode();
+ short getBlackCode();
+diff -Naur xpdf-3.02-orig/xpdf/XRef.cc xpdf-3.02/xpdf/XRef.cc
+--- xpdf-3.02-orig/xpdf/XRef.cc 2007-02-27 22:05:52.000000000 +0000
++++ xpdf-3.02/xpdf/XRef.cc 2010-11-26 17:21:44.000000000 +0000
+@@ -52,6 +52,8 @@
+ // generation 0.
+ ObjectStream(XRef *xref, int objStrNumA);
+
++ GBool isOk() { return ok; }
++
+ ~ObjectStream();
+
+ // Return the object number of this object stream.
+@@ -67,6 +69,7 @@
+ int nObjects; // number of objects in the stream
+ Object *objs; // the objects (length = nObjects)
+ int *objNums; // the object numbers (length =
nObjects)
++ GBool ok;
+ };
+
+ ObjectStream::ObjectStream(XRef *xref, int objStrNumA) {
+@@ -80,6 +83,7 @@
+ nObjects = 0;
+ objs = NULL;
+ objNums = NULL;
++ ok = gFalse;
+
+ if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) {
+ goto err1;
+@@ -105,6 +109,13 @@
+ goto err1;
+ }
+
++ // this is an arbitrary limit to avoid integer overflow problems
++ // in the 'new Object[nObjects]' call (Acrobat apparently limits
++ // object streams to 100-200 objects)
++ if (nObjects > 1000000) {
++ error(-1, "Too many objects in an object stream");
++ goto err1;
++ }
+ objs = new Object[nObjects];
+ objNums = (int *)gmallocn(nObjects, sizeof(int));
+ offsets = (int *)gmallocn(nObjects, sizeof(int));
+@@ -161,10 +172,10 @@
+ }
+
+ gfree(offsets);
++ ok = gTrue;
+
+ err1:
+ objStr.free();
+- return;
+ }
+
+ ObjectStream::~ObjectStream() {
+@@ -837,6 +848,11 @@
+ delete objStr;
+ }
+ objStr = new ObjectStream(this, e->offset);
++ if (!objStr->isOk()) {
++ delete objStr;
++ objStr = NULL;
++ goto err;
++ }
+ }
+ objStr->getObject(e->gen, num, obj);
+ break;
--
http://linuxfromscratch.org/mailman/listinfo/patches
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
