m4/libjpeg.m4 | 2 +- poppler/Function.cc | 6 +++++- poppler/Stream.cc | 10 ++++++++-- splash/Splash.cc | 26 ++++++++++++++++++++++---- 4 files changed, 36 insertions(+), 8 deletions(-)
New commits: commit 4b69217f72f3fd313f73df059eb1e6294878a95e Author: Peter Dyballa <[email protected]> Date: Fri Jan 11 00:32:46 2013 +0100 Use CPPFLAGS for CPPFLAGS not CFLAGS Bug #59186 diff --git a/m4/libjpeg.m4 b/m4/libjpeg.m4 index d384343..1a5057a 100644 --- a/m4/libjpeg.m4 +++ b/m4/libjpeg.m4 @@ -70,7 +70,7 @@ dnl then search the headers (can't use simply AC_TRY_xxx, as jpeglib.h dnl requires system dependent includes loaded before it) ac_save_CPPFLAGS="$CPPFLAGS" ac_save_CFLAGS="$CFLAGS" -CPPFLAGS="$CFLAGS $all_includes $USER_INCLUDES" +CPPFLAGS="$CPPFLAGS $all_includes $USER_INCLUDES" CFLAGS="$CFLAGS $all_includes $USER_INCLUDES" AC_CHECK_HEADER([jpeglib.h], [jpeg_incdir=yes], [jpeg_incdir=NO]) CPPFLAGS="$ac_save_CPPFLAGS" commit 8b6dc55e530b2f5ede6b9dfb64aafdd1d5836492 Author: Albert Astals Cid <[email protected]> Date: Thu Jan 10 22:31:52 2013 +0100 Fix invalid memory access in 1150.pdf.asan.8.69 diff --git a/splash/Splash.cc b/splash/Splash.cc index af609b4..d0d986e 100644 --- a/splash/Splash.cc +++ b/splash/Splash.cc @@ -2252,11 +2252,14 @@ SplashPath *Splash::makeDashedPath(SplashPath *path) { lineDashStartOn = gTrue; lineDashStartIdx = 0; if (lineDashStartPhase > 0) { - while (lineDashStartPhase >= state->lineDash[lineDashStartIdx]) { + while (lineDashStartIdx < state->lineDashLength && lineDashStartPhase >= state->lineDash[lineDashStartIdx]) { lineDashStartOn = !lineDashStartOn; lineDashStartPhase -= state->lineDash[lineDashStartIdx]; ++lineDashStartIdx; } + if (unlikely(lineDashStartIdx == state->lineDashLength)) { + return new SplashPath(); + } } dPath = new SplashPath(); commit e14b6e9c13d35c9bd1e0c50906ace8e707816888 Author: Albert Astals Cid <[email protected]> Date: Thu Jan 10 20:52:02 2013 +0100 Fix invalid memory access in 2030.pdf.asan.69.463 diff --git a/poppler/Function.cc b/poppler/Function.cc index 1dece2d..2f94a54 100644 --- a/poppler/Function.cc +++ b/poppler/Function.cc @@ -13,7 +13,7 @@ // All changes made under the Poppler project to this file are licensed // under GPL version 2 or later // -// Copyright (C) 2006, 2008-2010 Albert Astals Cid <[email protected]> +// Copyright (C) 2006, 2008-2010, 2013 Albert Astals Cid <[email protected]> // Copyright (C) 2006 Jeff Muizelaar <[email protected]> // Copyright (C) 2010 Christian Feuersänger <[email protected]> // Copyright (C) 2011 Andrea Canciani <[email protected]> @@ -1111,6 +1111,10 @@ void PSStack::copy(int n) { error(errSyntaxError, -1, "Stack underflow in PostScript function"); return; } + if (unlikely(sp - n > psStackSize)) { + error(errSyntaxError, -1, "Stack underflow in PostScript function"); + return; + } if (!checkOverflow(n)) { return; } commit 0388837f01bc467045164f9ddaff787000a8caaa Author: Albert Astals Cid <[email protected]> Date: Thu Jan 10 20:29:06 2013 +0100 Fix another invalid memory access in 1091.pdf.asan.72.42 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index d118ddd..4cb3326 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -2387,7 +2387,8 @@ GBool CCITTFaxStream::isBinary(GBool last) { // clip [-256,511] --> [0,255] #define dctClipOffset 256 -static Guchar dctClip[768]; +#define dctClipLength 768 +static Guchar dctClip[dctClipLength]; static int dctClipInit = 0; // zig zag decode map @@ -3343,7 +3344,12 @@ void DCTStream::transformDataUnit(Gushort *quantTable, // convert to 8-bit integers for (i = 0; i < 64; ++i) { - dataOut[i] = dctClip[dctClipOffset + 128 + ((dataIn[i] + 8) >> 4)]; + const int ix = dctClipOffset + 128 + ((dataIn[i] + 8) >> 4); + if (unlikely(ix < 0 || ix >= dctClipLength)) { + dataOut[i] = 0; + } else { + dataOut[i] = dctClip[ix]; + } } } commit 957aa252912cde85d76c41e9710b33425a82b696 Author: Albert Astals Cid <[email protected]> Date: Thu Jan 10 19:16:19 2013 +0100 Fix invalid memory accesses in 1091.pdf.asan.72.42 diff --git a/splash/Splash.cc b/splash/Splash.cc index 1f838af..af609b4 100644 --- a/splash/Splash.cc +++ b/splash/Splash.cc @@ -3233,6 +3233,12 @@ void Splash::scaleMaskYdXu(SplashImageMaskSource src, void *srcData, Guchar *destPtr; int yp, yq, xp, xq, yt, y, yStep, xt, x, xStep, d; int i, j; + + destPtr = dest->data; + if (destPtr == NULL) { + error(errInternal, -1, "dest->data is NULL in Splash::scaleMaskYdXu"); + return; + } // Bresenham parameters for y scale yp = srcHeight / scaledHeight; @@ -3249,7 +3255,6 @@ void Splash::scaleMaskYdXu(SplashImageMaskSource src, void *srcData, // init y scale Bresenham yt = 0; - destPtr = dest->data; for (y = 0; y < scaledHeight; ++y) { // y scale Bresenham commit bbc2d8918fe234b7ef2c480eb148943922cc0959 Author: Albert Astals Cid <[email protected]> Date: Thu Jan 10 19:07:48 2013 +0100 Fix invalid memory accesses in 1036.pdf.asan.23.17 diff --git a/splash/Splash.cc b/splash/Splash.cc index 24d934a..1f838af 100644 --- a/splash/Splash.cc +++ b/splash/Splash.cc @@ -14,7 +14,7 @@ // Copyright (C) 2005-2013 Albert Astals Cid <[email protected]> // Copyright (C) 2005 Marco Pesenti Gritti <[email protected]> // Copyright (C) 2010-2012 Thomas Freitag <[email protected]> -// Copyright (C) 2010 Christian Feuersänger <[email protected]> +// Copyright (C) 2010 Christian Feuersänger <[email protected]> // Copyright (C) 2011, 2012 William Bader <[email protected]> // Copyright (C) 2012 Markus Trippelsdorf <[email protected]> // Copyright (C) 2012 Adrian Johnson <[email protected]> @@ -3308,6 +3308,12 @@ void Splash::scaleMaskYuXd(SplashImageMaskSource src, void *srcData, Guchar *destPtr0, *destPtr; int yp, yq, xp, xq, yt, y, yStep, xt, x, xStep, xx, d, d0, d1; int i; + + destPtr0 = dest->data; + if (destPtr0 == NULL) { + error(errInternal, -1, "dest->data is NULL in Splash::scaleMaskYuXd"); + return; + } // Bresenham parameters for y scale yp = scaledHeight / srcHeight; @@ -3323,7 +3329,6 @@ void Splash::scaleMaskYuXd(SplashImageMaskSource src, void *srcData, // init y scale Bresenham yt = 0; - destPtr0 = dest->data; for (y = 0; y < srcHeight; ++y) { // y scale Bresenham @@ -4862,6 +4867,11 @@ void Splash::vertFlipImage(SplashBitmap *img, int width, int height, Guchar *lineBuf; Guchar *p0, *p1; int w; + + if (unlikely(img->data == NULL)) { + error(errInternal, -1, "img->data is NULL in Splash::vertFlipImage"); + return; + } w = width * nComps; lineBuf = (Guchar *)gmalloc(w);
_______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
