fofi/FoFiType1C.cc | 25 +++++++++++++++++-------- fofi/FoFiType1C.h | 2 ++ poppler/DCTStream.cc | 6 +++++- poppler/Form.cc | 2 +- poppler/Function.cc | 5 +++++ poppler/Gfx.cc | 5 +++++ poppler/JBIG2Stream.cc | 8 ++++++++ poppler/XRef.cc | 6 ++++++ splash/SplashClip.cc | 23 +++++++++++++++++++++++ splash/SplashXPathScanner.cc | 3 +++ 10 files changed, 75 insertions(+), 10 deletions(-)
New commits: commit 558a7d9b046bbbe185dea263b48a3cb2664378fc Author: Thomas Freitag <[email protected]> Date: Sun Sep 9 23:25:47 2012 +0200 Fix invalid memory access in solves 1066.pdf.asan.38.75 diff --git a/splash/SplashClip.cc b/splash/SplashClip.cc index 41b73c8..fb18831 100644 --- a/splash/SplashClip.cc +++ b/splash/SplashClip.cc @@ -384,4 +384,27 @@ void SplashClip::clipAALine(SplashBitmap *aaBuf, int *x0, int *x1, int y) { for (i = 0; i < length; ++i) { scanners[i]->clipAALine(aaBuf, x0, x1, y); } + if (*x0 > *x1) { + *x0 = *x1; + } + if (*x0 < 0) { + *x0 = 0; + } + if ((*x0>>1) >= aaBuf->getRowSize()) { + xx0 = *x0; + *x0 = (aaBuf->getRowSize() - 1) << 1; + if (xx0 & 1) { + *x0 = *x0 + 1; + } + } + if (*x1 < *x0) { + *x1 = *x0; + } + if ((*x1>>1) >= aaBuf->getRowSize()) { + xx0 = *x1; + *x1 = (aaBuf->getRowSize() - 1) << 1; + if (xx0 & 1) { + *x1 = *x1 + 1; + } + } } diff --git a/splash/SplashXPathScanner.cc b/splash/SplashXPathScanner.cc index c9fe5e5..738cef7 100644 --- a/splash/SplashXPathScanner.cc +++ b/splash/SplashXPathScanner.cc @@ -441,6 +441,9 @@ void SplashXPathScanner::renderAALine(SplashBitmap *aaBuf, } } } + if (xxMin > xxMax) { + xxMin = xxMax; + } *x0 = xxMin / splashAASize; *x1 = (xxMax - 1) / splashAASize; } commit d0df8e54512f584ca2b3edbae1c19e167948e5c3 Author: Thomas Freitag <[email protected]> Date: Sun Sep 9 23:21:38 2012 +0200 Fix invalid memory access in 1106.pdf.asan.30.120.patch diff --git a/poppler/Function.cc b/poppler/Function.cc index 25e8f74..2c3aa8a 100644 --- a/poppler/Function.cc +++ b/poppler/Function.cc @@ -17,6 +17,7 @@ // Copyright (C) 2006 Jeff Muizelaar <[email protected]> // Copyright (C) 2010 Christian Feuersänger <[email protected]> // Copyright (C) 2011 Andrea Canciani <[email protected]> +// Copyright (C) 2012 Thomas Freitag <[email protected]> // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -1010,6 +1011,10 @@ public: return; } --sp; + if (sp + i + 1 >= psStackSize) { + error(errSyntaxError, -1, "Stack underflow in PostScript function"); + return; + } stack[sp] = stack[sp + 1 + i]; } void pop() commit 86b89864396a1dcf027e5793e6ac75411977bcf9 Author: Thomas Freitag <[email protected]> Date: Sun Sep 9 23:08:49 2012 +0200 Fix crash in 1255.pdf.SIGSEGV.56f.285 diff --git a/poppler/XRef.cc b/poppler/XRef.cc index 3564807..9a0c900 100644 --- a/poppler/XRef.cc +++ b/poppler/XRef.cc @@ -719,6 +719,10 @@ GBool XRef::readXRefStreamSection(Stream *xrefStr, int *w, int first, int n) { error(errSyntaxError, -1, "Invalid 'size' inside xref table"); return gFalse; } + if (first + n > size) { + error(errSyntaxError, -1, "Invalid 'first' or 'n' inside xref table"); + return gFalse; + } } for (i = first; i < first + n; ++i) { if (w[0] == 0) { @@ -1085,6 +1089,8 @@ Object *XRef::fetch(int num, int gen, Object *obj, int recursion) { objStr = NULL; goto err; } else { + // XRef could be reconstructed in constructor of ObjectStream: + e = getEntry(num); ObjectStreamKey *newkey = new ObjectStreamKey(e->offset); ObjectStreamItem *newitem = new ObjectStreamItem(objStr); objStrs->put(newkey, newitem); commit 96931732f343d2bbda9af9488b485da031866c3b Author: Thomas Freitag <[email protected]> Date: Sun Sep 9 22:47:57 2012 +0200 Fix invalid memory access in 61.pdf.asan.13.95 diff --git a/fofi/FoFiType1C.cc b/fofi/FoFiType1C.cc index d0ea888..c4595a3 100644 --- a/fofi/FoFiType1C.cc +++ b/fofi/FoFiType1C.cc @@ -14,6 +14,7 @@ // under GPL version 2 or later // // Copyright (C) 2009, 2010 Albert Astals Cid <[email protected]> +// Copyright (C) 2012 Thomas Freitag <[email protected]> // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -78,6 +79,7 @@ FoFiType1C::FoFiType1C(char *fileA, int lenA, GBool freeFileDataA): privateDicts = NULL; fdSelect = NULL; charset = NULL; + charsetLength = 0; } FoFiType1C::~FoFiType1C() { @@ -121,6 +123,8 @@ GooString *FoFiType1C::getGlyphName(int gid) { GBool ok; ok = gTrue; + if (gid < 0 || gid >= charsetLength) + return NULL; getString(charset[gid], buf, &ok); if (!ok) { return NULL; @@ -141,7 +145,7 @@ int *FoFiType1C::getCIDToGIDMap(int *nCIDs) { // in a CID font, the charset data is the GID-to-CID mapping, so all // we have to do is reverse it n = 0; - for (i = 0; i < nGlyphs; ++i) { + for (i = 0; i < nGlyphs && i < charsetLength; ++i) { if (charset[i] > n) { n = charset[i]; } @@ -461,7 +465,7 @@ void FoFiType1C::convertToType1(char *psName, const char **newEncoding, GBool as for (i = 0; i < nGlyphs; ++i) { ok = gTrue; getIndexVal(&charStringsIdx, i, &val, &ok); - if (ok) { + if (ok && i < charsetLength) { getString(charset[i], buf2, &ok); if (ok) { eexecCvtGlyph(&eb, buf2, val.pos, val.len, &subrIdx, &privateDicts[0]); @@ -512,7 +516,7 @@ void FoFiType1C::convertToCIDType0(char *psName, int *codeMap, int nCodes, } } else if (topDict.firstOp == 0x0c1e) { nCIDs = 0; - for (i = 0; i < nGlyphs; ++i) { + for (i = 0; i < nGlyphs && i < charsetLength; ++i) { if (charset[i] >= nCIDs) { nCIDs = charset[i] + 1; } @@ -521,7 +525,7 @@ void FoFiType1C::convertToCIDType0(char *psName, int *codeMap, int nCodes, for (i = 0; i < nCIDs; ++i) { cidMap[i] = -1; } - for (i = 0; i < nGlyphs; ++i) { + for (i = 0; i < nGlyphs && i < charsetLength; ++i) { cidMap[charset[i]] = i; } } else { @@ -855,7 +859,7 @@ void FoFiType1C::convertToType0(char *psName, int *codeMap, int nCodes, } } else if (topDict.firstOp == 0x0c1e) { nCIDs = 0; - for (i = 0; i < nGlyphs; ++i) { + for (i = 0; i < nGlyphs && i < charsetLength; ++i) { if (charset[i] >= nCIDs) { nCIDs = charset[i] + 1; } @@ -864,7 +868,7 @@ void FoFiType1C::convertToType0(char *psName, int *codeMap, int nCodes, for (i = 0; i < nCIDs; ++i) { cidMap[i] = -1; } - for (i = 0; i < nGlyphs; ++i) { + for (i = 0; i < nGlyphs && i < charsetLength; ++i) { cidMap[charset[i]] = i; } } else { @@ -2415,7 +2419,7 @@ void FoFiType1C::buildEncoding() { if (nCodes > nGlyphs) { nCodes = nGlyphs; } - for (i = 1; i < nCodes; ++i) { + for (i = 1; i < nCodes && i < charsetLength; ++i) { c = getU8(pos++, &parsedOk); if (!parsedOk) { return; @@ -2437,7 +2441,7 @@ void FoFiType1C::buildEncoding() { if (!parsedOk) { return; } - for (j = 0; j <= nLeft && nCodes < nGlyphs; ++j) { + for (j = 0; j <= nLeft && nCodes < nGlyphs && nCodes < charsetLength; ++j) { if (c < 256) { if (encoding[c]) { gfree(encoding[c]); @@ -2480,12 +2484,16 @@ GBool FoFiType1C::readCharset() { if (topDict.charsetOffset == 0) { charset = fofiType1CISOAdobeCharset; + charsetLength = sizeof(fofiType1CISOAdobeCharset) / sizeof(Gushort); } else if (topDict.charsetOffset == 1) { charset = fofiType1CExpertCharset; + charsetLength = sizeof(fofiType1CExpertCharset) / sizeof(Gushort); } else if (topDict.charsetOffset == 2) { charset = fofiType1CExpertSubsetCharset; + charsetLength = sizeof(fofiType1CExpertSubsetCharset) / sizeof(Gushort); } else { charset = (Gushort *)gmallocn(nGlyphs, sizeof(Gushort)); + charsetLength = nGlyphs; for (i = 0; i < nGlyphs; ++i) { charset[i] = 0; } @@ -2530,6 +2538,7 @@ GBool FoFiType1C::readCharset() { if (!parsedOk) { gfree(charset); charset = NULL; + charsetLength = 0; return gFalse; } } diff --git a/fofi/FoFiType1C.h b/fofi/FoFiType1C.h index b9e1933..698dccd 100644 --- a/fofi/FoFiType1C.h +++ b/fofi/FoFiType1C.h @@ -14,6 +14,7 @@ // under GPL version 2 or later // // Copyright (C) 2006 Takashi Iwai <[email protected]> +// Copyright (C) 2012 Thomas Freitag <[email protected]> // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -250,6 +251,7 @@ private: int nFDs; Guchar *fdSelect; Gushort *charset; + Gushort charsetLength; int gsubrBias; GBool parsedOk; commit 26917d69c4da6a110db02b120133c36579fbb17c Author: Albert Astals Cid <[email protected]> Date: Sun Sep 9 22:23:36 2012 +0200 Add unlikely diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index 661ec3d..4e663b4 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -1671,7 +1671,7 @@ void Gfx::opSetStrokeColorN(Object args[], int numArgs) { state->setStrokeColor(&color); out->updateStrokeColor(state); } - if (numArgs <= 0) { + if (unlikely(numArgs <= 0)) { error(errSyntaxError, getPos(), "Incorrect number of arguments in 'SCN' command"); return; } commit e6a3c797c01aa343f640f2e6f45de5bf379aa8ad Author: Thomas Freitag <[email protected]> Date: Sun Sep 9 22:22:59 2012 +0200 Fix wrong memory access in 68.pdf.asan.7.1030 diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index ffe7486..661ec3d 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -1671,6 +1671,10 @@ void Gfx::opSetStrokeColorN(Object args[], int numArgs) { state->setStrokeColor(&color); out->updateStrokeColor(state); } + if (numArgs <= 0) { + error(errSyntaxError, getPos(), "Incorrect number of arguments in 'SCN' command"); + return; + } if (args[numArgs-1].isName() && (pattern = res->lookupPattern(args[numArgs-1].getName(), this))) { state->setStrokePattern(pattern); commit 48fe18cf277cd2a4e665c74b3a594482f762f4b6 Author: Albert Astals Cid <[email protected]> Date: Sun Sep 9 22:09:44 2012 +0200 Fix memory leak diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index d7684d6..ffe7486 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -4356,6 +4356,7 @@ void Gfx::doImage(Object *ref, Stream *str, GBool inlineImg) { dict->lookup("D", &obj1); } if (bits == 0) { + delete colorSpace; goto err2; } colorMap = new GfxImageColorMap(bits, &obj1, colorSpace); commit b87aafc0cdb36c3555053f2684c45f1a9d7b2f94 Author: Albert Astals Cid <[email protected]> Date: Sun Sep 9 21:42:48 2012 +0200 Add unlikelys to the ifs diff --git a/poppler/DCTStream.cc b/poppler/DCTStream.cc index cc2d325..6302c8b 100644 --- a/poppler/DCTStream.cc +++ b/poppler/DCTStream.cc @@ -5,7 +5,7 @@ // This file is licensed under the GPLv2 or later // // Copyright 2005 Jeff Muizelaar <[email protected]> -// Copyright 2005-2010 Albert Astals Cid <[email protected]> +// Copyright 2005-2010, 2012 Albert Astals Cid <[email protected]> // Copyright 2009 Ryszard Trojnacki <[email protected]> // Copyright 2010 Carlos Garcia Campos <[email protected]> // Copyright 2011 Daiki Ueno <[email protected]> @@ -223,7 +223,7 @@ int DCTStream::getChars(int nChars, Guchar *buffer) { } int DCTStream::lookChar() { - if (current == NULL) { + if (unlikely(current == NULL)) { return EOF; } return *current; diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc index 587ef38..78a205d 100644 --- a/poppler/JBIG2Stream.cc +++ b/poppler/JBIG2Stream.cc @@ -720,7 +720,7 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, int wA, int hA): JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap): JBIG2Segment(segNumA) { - if (!bitmap) { + if (unlikely(bitmap == NULL)) { error(errSyntaxError, -1, "NULL bitmap in JBIG2Bitmap"); w = h = line = 0; data = NULL; commit a019eef2f8ca53addd7ccab7f9c47657f4e52286 Author: Thomas Freitag <[email protected]> Date: Sun Sep 9 21:41:09 2012 +0200 Fix crash in 1162.pdf.SIGSEGV.28e.182 diff --git a/poppler/DCTStream.cc b/poppler/DCTStream.cc index 90a1377..cc2d325 100644 --- a/poppler/DCTStream.cc +++ b/poppler/DCTStream.cc @@ -10,6 +10,7 @@ // Copyright 2010 Carlos Garcia Campos <[email protected]> // Copyright 2011 Daiki Ueno <[email protected]> // Copyright 2011 Tomas Hoger <[email protected]> +// Copyright 2012 Thomas Freitag <[email protected]> // //======================================================================== @@ -222,6 +223,9 @@ int DCTStream::getChars(int nChars, Guchar *buffer) { } int DCTStream::lookChar() { + if (current == NULL) { + return EOF; + } return *current; } commit ad7c6ac88f2315c9ce003308d1b4988592d4434b Author: William Bader <[email protected]> Date: Sun Sep 9 21:31:58 2012 +0200 Fix crash in 1028.pdf.SIGSEGV.ae6.33 diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc index a8486a3..587ef38 100644 --- a/poppler/JBIG2Stream.cc +++ b/poppler/JBIG2Stream.cc @@ -18,6 +18,7 @@ // Copyright (C) 2006-2010, 2012 Albert Astals Cid <[email protected]> // Copyright (C) 2009 David Benjamin <[email protected]> // Copyright (C) 2011 Edward Jiang <[email protected]> +// Copyright (C) 2012 William Bader <[email protected]> // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -719,6 +720,13 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, int wA, int hA): JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap): JBIG2Segment(segNumA) { + if (!bitmap) { + error(errSyntaxError, -1, "NULL bitmap in JBIG2Bitmap"); + w = h = line = 0; + data = NULL; + return; + } + w = bitmap->w; h = bitmap->h; line = bitmap->line; commit b861af714daee4125e54b250dddf82106f5a8ce8 Author: Albert Astals Cid <[email protected]> Date: Sun Sep 9 21:15:06 2012 +0200 Fix memory leak diff --git a/poppler/Form.cc b/poppler/Form.cc index 99d7bbb..7d32ae0 100644 --- a/poppler/Form.cc +++ b/poppler/Form.cc @@ -521,8 +521,8 @@ FormField::FormField(PDFDoc *docA, Object *aobj, const Ref& aref, FormField *par obj1.free(); if (dict->lookup("Subtype", &obj1)->isName("Widget")) _createWidget(&obj, ref); - obj1.free(); } + obj1.free(); //flags if (Form::fieldLookup(dict, "Ff", &obj1)->isInt()) {
_______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
