fofi/FoFiType1.cc | 5 +++-- poppler/Decrypt.cc | 4 +++- poppler/Dict.h | 3 +++ poppler/Form.cc | 32 +++++++++++++++++++++++++++----- poppler/Function.cc | 7 ++++++- poppler/Gfx.cc | 39 +++++++++++++++++++++++++++++++++------ poppler/Stream.cc | 1 + 7 files changed, 76 insertions(+), 15 deletions(-)
New commits: commit d2578bd66129466b2dd114b6407c147598e09d2b Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:19:27 2010 +0100 Avoid loops in Form::fieldLookup Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Dict.h b/poppler/Dict.h index bb747d5..a76bc89 100644 --- a/poppler/Dict.h +++ b/poppler/Dict.h @@ -16,6 +16,7 @@ // Copyright (C) 2005 Kristian Høgsberg <[email protected]> // Copyright (C) 2006 Krzysztof Kowalczyk <[email protected]> // Copyright (C) 2007-2008 Julien Rebetez <[email protected]> +// Copyright (C) 2010 Albert Astals Cid <[email protected]> // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -83,6 +84,8 @@ public: // trailer dictionary, which is read before the xref table is // parsed. void setXRef(XRef *xrefA) { xref = xrefA; } + + XRef *getXRef() { return xref; } private: diff --git a/poppler/Form.cc b/poppler/Form.cc index 21ca672..ae9c509 100644 --- a/poppler/Form.cc +++ b/poppler/Form.cc @@ -22,6 +22,7 @@ #pragma implementation #endif +#include <set> #include <stddef.h> #include <string.h> #include "goo/gmem.h" @@ -1181,7 +1182,7 @@ Form::~Form() { } // Look up an inheritable field dictionary entry. -Object *Form::fieldLookup(Dict *field, char *key, Object *obj) { +static Object *fieldLookup(Dict *field, char *key, Object *obj, std::set<int> *usedParents) { Dict *dict; Object parent; @@ -1190,8 +1191,23 @@ Object *Form::fieldLookup(Dict *field, char *key, Object *obj) { return obj; } obj->free(); - if (dict->lookup("Parent", &parent)->isDict()) { - fieldLookup(parent.getDict(), key, obj); + dict->lookupNF("Parent", &parent); + if (parent.isRef()) { + const Ref ref = parent.getRef(); + if (usedParents->find(ref.num) == usedParents->end()) { + usedParents->insert(ref.num); + + Object obj2; + parent.fetch(dict->getXRef(), &obj2); + if (obj2.isDict()) { + fieldLookup(obj2.getDict(), key, obj, usedParents); + } else { + obj->initNull(); + } + obj2.free(); + } + } else if (parent.isDict()) { + fieldLookup(parent.getDict(), key, obj, usedParents); } else { obj->initNull(); } @@ -1199,6 +1215,11 @@ Object *Form::fieldLookup(Dict *field, char *key, Object *obj) { return obj; } +Object *Form::fieldLookup(Dict *field, char *key, Object *obj) { + std::set<int> usedParents; + return ::fieldLookup(field, key, obj, &usedParents); +} + FormField *Form::createFieldFromDict (Object* obj, XRef *xrefA, const Ref& pref) { Object obj2; commit 2fe825deac055be82b220d0127169cb3d61387a8 Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:15:25 2010 +0100 Make sure obj1 is a num before reading it Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index 7b85d79..76dae02 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -4235,8 +4235,14 @@ void Gfx::doForm(Object *str) { } for (i = 0; i < 4; ++i) { bboxObj.arrayGet(i, &obj1); - bbox[i] = obj1.getNum(); - obj1.free(); + if (likely(obj1.isNum())) { + bbox[i] = obj1.getNum(); + obj1.free(); + } else { + obj1.free(); + error(getPos(), "Bad form bounding box value"); + return; + } } bboxObj.free(); @@ -4666,8 +4672,14 @@ void Gfx::drawAnnot(Object *str, AnnotBorder *border, AnnotColor *aColor, } for (i = 0; i < 4; ++i) { bboxObj.arrayGet(i, &obj1); - bbox[i] = obj1.getNum(); - obj1.free(); + if (likely(obj1.isNum())) { + bbox[i] = obj1.getNum(); + obj1.free(); + } else { + obj1.free(); + error(getPos(), "Bad form bounding box value"); + return; + } } bboxObj.free(); commit 473de6f88a055bb03470b4af5fa584be8cb5fda4 Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:11:42 2010 +0100 Fix memory leak if obj2 is not a dict Found thanks to PDF provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Form.cc b/poppler/Form.cc index 4df8a7d..21ca672 100644 --- a/poppler/Form.cc +++ b/poppler/Form.cc @@ -715,13 +715,14 @@ FormField::FormField(XRef* xrefA, Object *aobj, const Ref& aref, FormFieldType t // Load children for(int i=0; i<length; i++) { Object obj2,obj3; - Object childRef; array->get(i, &obj2); - array->getNF(i, &childRef); if (!obj2.isDict ()) { error (-1, "Reference to an invalid or non existant object"); + obj2.free(); continue; } + Object childRef; + array->getNF(i, &childRef); //field child if (dict->lookup ("FT", &obj3)->isName()) { // If I'm not a generic container field and my children commit 9706e28657ff7ea52aa69d9efb3f91d0cfaee70b Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:09:37 2010 +0100 Fix crash when idx is out of range Found thanks to PDF provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Function.cc b/poppler/Function.cc index ea35b7b..e7383fd 100644 --- a/poppler/Function.cc +++ b/poppler/Function.cc @@ -425,7 +425,7 @@ void SampledFunction::transform(double *in, double *out) { if (likely(idx >= 0 && idx < nSamples)) { sBuf[j] = samples[idx]; } else { - sBuf[j] = 0; + sBuf[j] = 0; // TODO Investigate if this is what Adobe does } } commit 26a5817ffec9f05ac63db6c5cd5b1f0871d271c7 Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:08:54 2010 +0100 Fix crash when idx is out of range Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Function.cc b/poppler/Function.cc index b28ee3d..ea35b7b 100644 --- a/poppler/Function.cc +++ b/poppler/Function.cc @@ -422,7 +422,11 @@ void SampledFunction::transform(double *in, double *out) { for (k = 0, t = j; k < m; ++k, t >>= 1) { idx += idxMul[k] * (e[k][t & 1]); } - sBuf[j] = samples[idx]; + if (likely(idx >= 0 && idx < nSamples)) { + sBuf[j] = samples[idx]; + } else { + sBuf[j] = 0; + } } // do m sets of interpolations commit dfdf3602bde47d1be7788a44722c258bfa0c6d6e Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:07:12 2010 +0100 Give a value to color.c[i] Might not be the better solution but it's better than having a random value there Found thanks to PDF provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index 919086e..7b85d79 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -1533,6 +1533,8 @@ void Gfx::opSetFillColorN(Object args[], int numArgs) { for (i = 0; i < numArgs - 1 && i < gfxColorMaxComps; ++i) { if (args[i].isNum()) { color.c[i] = dblToCol(args[i].getNum()); + } else { + color.c[i] = 0; // TODO Investigate if this is what Adobe does } } state->setFillColor(&color); @@ -1552,6 +1554,8 @@ void Gfx::opSetFillColorN(Object args[], int numArgs) { for (i = 0; i < numArgs && i < gfxColorMaxComps; ++i) { if (args[i].isNum()) { color.c[i] = dblToCol(args[i].getNum()); + } else { + color.c[i] = 0; // TODO Investigate if this is what Adobe does } } state->setFillColor(&color); @@ -1576,6 +1580,8 @@ void Gfx::opSetStrokeColorN(Object args[], int numArgs) { for (i = 0; i < numArgs - 1 && i < gfxColorMaxComps; ++i) { if (args[i].isNum()) { color.c[i] = dblToCol(args[i].getNum()); + } else { + color.c[i] = 0; // TODO Investigate if this is what Adobe does } } state->setStrokeColor(&color); @@ -1595,6 +1601,8 @@ void Gfx::opSetStrokeColorN(Object args[], int numArgs) { for (i = 0; i < numArgs && i < gfxColorMaxComps; ++i) { if (args[i].isNum()) { color.c[i] = dblToCol(args[i].getNum()); + } else { + color.c[i] = 0; // TODO Investigate if this is what Adobe does } } state->setStrokeColor(&color); commit 01c85c08305bae16242f5979ab107fa5bb5f5100 Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:04:37 2010 +0100 Forgot my (C) here diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc index 128dbb9..abca820 100644 --- a/poppler/Decrypt.cc +++ b/poppler/Decrypt.cc @@ -14,7 +14,7 @@ // under GPL version 2 or later // // Copyright (C) 2008 Julien Rebetez <[email protected]> -// Copyright (C) 2008 Albert Astals Cid <[email protected]> +// Copyright (C) 2008, 2010 Albert Astals Cid <[email protected]> // Copyright (C) 2009 Matthias Franz <[email protected]> // Copyright (C) 2009 David Benjamin <[email protected]> // commit bf2055088a3a2d3bb3d3c37d464954ec1a25771f Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:03:19 2010 +0100 Properly initialize stack Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Function.cc b/poppler/Function.cc index b7c23fe..b28ee3d 100644 --- a/poppler/Function.cc +++ b/poppler/Function.cc @@ -1108,6 +1108,7 @@ PostScriptFunction::PostScriptFunction(Object *funcObj, Dict *dict) { code = NULL; codeString = NULL; codeSize = 0; + stack = NULL; ok = gFalse; cache = new PopplerCache(5); commit e853106b58d6b4b0467dbd6436c9bb1cfbd372cf Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:01:36 2010 +0100 Properly initialize parser Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index fc004b8..919086e 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -536,6 +536,7 @@ Gfx::Gfx(XRef *xrefA, OutputDev *outA, int pageNum, Dict *resDict, Catalog *cata drawText = gFalse; maskHaveCSPattern = gFalse; mcStack = NULL; + parser = NULL; // start the resource stack res = new GfxResources(xref, resDict, NULL); @@ -590,6 +591,7 @@ Gfx::Gfx(XRef *xrefA, OutputDev *outA, Dict *resDict, Catalog *catalogA, drawText = gFalse; maskHaveCSPattern = gFalse; mcStack = NULL; + parser = NULL; // start the resource stack res = new GfxResources(xref, resDict, NULL); commit 3422638b2a39cbdd33a114a7d7debc0a5f688501 Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 18:58:43 2010 +0100 Fix crash in broken pdf (parser->getStream() is 0) Found thanks to PDF provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index 50870cc..fc004b8 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -4449,8 +4449,13 @@ Stream *Gfx::buildImageStream() { obj.free(); // make stream - str = new EmbedStream(parser->getStream(), &dict, gFalse, 0); - str = str->addFilters(&dict); + if (parser->getStream()) { + str = new EmbedStream(parser->getStream(), &dict, gFalse, 0); + str = str->addFilters(&dict); + } else { + str = NULL; + dict.free(); + } return str; } commit a2dab0238a69240dad08eca2083110b52ce488b7 Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 18:55:51 2010 +0100 Initialize properly charactersRead It is possible that there are calls to getPos before reset Found thanks to PDF provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc index ca294d3..128dbb9 100644 --- a/poppler/Decrypt.cc +++ b/poppler/Decrypt.cc @@ -229,6 +229,8 @@ DecryptStream::DecryptStream(Stream *strA, Guchar *fileKey, if ((objKeyLength = keyLength + 5) > 16) { objKeyLength = 16; } + + charactersRead = 0; } DecryptStream::~DecryptStream() { commit 39d140bfc0b8239bdd96d6a55842034ae5c05473 Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 18:54:31 2010 +0100 Fix crash in broken pdf (code < 0) Found thanks to PDF provided by Joel Voss of Leviathan Security Group diff --git a/fofi/FoFiType1.cc b/fofi/FoFiType1.cc index 25bdc0e..3fe7f4f 100644 --- a/fofi/FoFiType1.cc +++ b/fofi/FoFiType1.cc @@ -13,7 +13,7 @@ // All changes made under the Poppler project to this file are licensed // under GPL version 2 or later // -// Copyright (C) 2005, 2008 Albert Astals Cid <[email protected]> +// Copyright (C) 2005, 2008, 2010 Albert Astals Cid <[email protected]> // Copyright (C) 2005 Kristian Høgsberg <[email protected]> // Copyright (C) 2010 Jakub Wilk <[email protected]> // @@ -31,6 +31,7 @@ #include <stdlib.h> #include <string.h> #include "goo/gmem.h" +#include "goo/GooLikely.h" #include "FoFiEncodings.h" #include "FoFiType1.h" #include "poppler/Error.h" @@ -243,7 +244,7 @@ void FoFiType1::parse() { code = code * 8 + (*p2 - '0'); } } - if (code < 256) { + if (likely(code < 256 && code >= 0)) { for (p = p2; *p == ' ' || *p == '\t'; ++p) ; if (*p == '/') { ++p; commit c6a091512745771894b54a71613fd6b5ca1adcb3 Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 18:50:25 2010 +0100 Fix memory leak Found thanks to PDF provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 988f99a..0fb3884 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -599,6 +599,7 @@ GBool StreamPredictor::getNextLine() { // last partial line break; } + delete[] rawCharLine; return gFalse; } switch (curPred) {
_______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
