Re: [poppler] poppler/Stream.cc
Hello,
maybe the simplest solution would to turn inputBuf into an unsigned int
and convert to signed int after extracting the bits out of it?
Best regards,
Adam
Am 23.05.2018 um 00:24 schrieb Albert Astals Cid:
> poppler/Stream.cc |4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> New commits:
> commit 58e056c4b15f262b7715f8061d6885eb80044d0d
> Author: Albert Astals Cid
> Date: Wed May 23 00:23:19 2018 +0200
>
> Revert 31c3832b996acbf04ea833e304d7d21ac4533a57
>
> So shifting left negative values is undefined behaviour according to the
> spec but if we don't do it we break, so we seem to be depending on this
> undefined behaviour, will try to figure out a better fix
>
> diff --git a/poppler/Stream.cc b/poppler/Stream.cc
> index b6bfd838..4f075c12 100644
> --- a/poppler/Stream.cc
> +++ b/poppler/Stream.cc
> @@ -1445,9 +1445,7 @@ int LZWStream::getCode() {
>while (inputBits < nextBits) {
> if ((c = str->getChar()) == EOF)
>return EOF;
> -if (likely(inputBuf >= 0)) {
> -inputBuf = (inputBuf << 8) | (c & 0xff);
> -}
> +inputBuf = (inputBuf << 8) | (c & 0xff);
> inputBits += 8;
>}
>code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1);
> ___
> poppler mailing list
> poppler@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/poppler
>
signature.asc
Description: OpenPGP digital signature
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Decrypt.cc
poppler/Decrypt.cc |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 3ca2d43b7ddcca08bc026c6564f89ffbe0dde506
Author: Albert Astals Cid
Date: Wed May 23 00:27:08 2018 +0200
warning--
diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc
index d4ce0ce3..83d18824 100644
--- a/poppler/Decrypt.cc
+++ b/poppler/Decrypt.cc
@@ -321,7 +321,7 @@ BaseCryptStream::BaseCryptStream(Stream *strA, Guchar
*fileKey, CryptAlgorithm a
}
switch (algo) {
case cryptRC4:
-if (likely(keyLength < (sizeof(objKey) - 4))) {
+if (likely(keyLength < static_cast(sizeof(objKey) - 4))) {
objKey[keyLength] = objNum & 0xff;
objKey[keyLength + 1] = (objNum >> 8) & 0xff;
objKey[keyLength + 2] = (objNum >> 16) & 0xff;
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
New commits:
commit 58e056c4b15f262b7715f8061d6885eb80044d0d
Author: Albert Astals Cid
Date: Wed May 23 00:23:19 2018 +0200
Revert 31c3832b996acbf04ea833e304d7d21ac4533a57
So shifting left negative values is undefined behaviour according to the
spec but if we don't do it we break, so we seem to be depending on this
undefined behaviour, will try to figure out a better fix
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index b6bfd838..4f075c12 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -1445,9 +1445,7 @@ int LZWStream::getCode() {
while (inputBits < nextBits) {
if ((c = str->getChar()) == EOF)
return EOF;
-if (likely(inputBuf >= 0)) {
-inputBuf = (inputBuf << 8) | (c & 0xff);
-}
+inputBuf = (inputBuf << 8) | (c & 0xff);
inputBits += 8;
}
code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1);
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Gfx.cc
poppler/Gfx.cc |7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
New commits:
commit a6c2eb671f08beb682e086d5f6791fdb78906a7c
Author: Albert Astals Cid
Date: Tue May 22 22:12:03 2018 +0200
Make sure dash[i] is intialized
even if obj is not a number
fixes oss-fuzz/8462
diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index e0ccb4c2..01ededcd 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -947,11 +947,10 @@ void Gfx::opSetDash(Object args[], int numArgs) {
dash = nullptr;
} else {
dash = (double *)gmallocn(length, sizeof(double));
+bool dummyOk;
for (i = 0; i < length; ++i) {
- Object obj = a->get(i);
- if (obj.isNum()) {
- dash[i] = obj.getNum();
- }
+ const Object obj = a->get(i);
+ dash[i] = obj.getNum(&dummyOk);
}
}
state->setLineDash(dash, length, args[1].getNum());
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Hints.cc
poppler/Hints.cc |7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
New commits:
commit 083bfa59378be1c008cb6543f7e9bebde29a4079
Author: Albert Astals Cid
Date: Tue May 22 22:01:35 2018 +0200
nBitsDiffObjects can only be 32 as per spec
fixes oss-fuzz/8464
diff --git a/poppler/Hints.cc b/poppler/Hints.cc
index 2f5fec6c..ecee0468 100644
--- a/poppler/Hints.cc
+++ b/poppler/Hints.cc
@@ -5,7 +5,7 @@
// This file is licensed under the GPLv2 or later
//
// Copyright 2010, 2012 Hib Eris
-// Copyright 2010, 2011, 2013, 2014, 2016, 2017 Albert Astals Cid
+// Copyright 2010, 2011, 2013, 2014, 2016-2018 Albert Astals Cid
// Copyright 2010, 2013 Pino Toscano
// Copyright 2013 Adrian Johnson
// Copyright 2014 Fabio D'Urso
@@ -258,6 +258,11 @@ GBool Hints::readPageOffsetTable(Stream *str)
if (objectOffsetFirst >= hintsOffset) objectOffsetFirst += hintsLength;
nBitsDiffObjects = sbr.readBits(16);
+ if (nBitsDiffObjects > 32) {
+error(errSyntaxWarning, -1, "Invalid number of bits needed to represent
the difference between the greatest and least number of objects in a page");
+nPages = 0;
+return gFalse;
+ }
pageLengthLeast = sbr.readBits(32);
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Parser.cc
poppler/Parser.cc |3 +++
1 file changed, 3 insertions(+)
New commits:
commit 942a426f2844b66758b6b443234c3686d61420cc
Author: Albert Astals Cid
Date: Tue May 22 21:41:51 2018 +0200
Parser::makeStream: Make sure length is not negative
fixes oss-fuzz/8469
diff --git a/poppler/Parser.cc b/poppler/Parser.cc
index 7ed297cb..ce91e325 100644
--- a/poppler/Parser.cc
+++ b/poppler/Parser.cc
@@ -235,6 +235,9 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey,
pos = pos - 1;
lexer->lookCharLastValueCached = Lexer::LOOK_VALUE_NOT_CACHED;
}
+ if (unlikely(length < 0)) {
+ return nullptr;
+ }
if (unlikely(pos > LONG_LONG_MAX - length)) {
return nullptr;
}
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/SecurityHandler.cc
poppler/SecurityHandler.cc |3 +++
1 file changed, 3 insertions(+)
New commits:
commit bf03344ad26b1227b5052420feabe062441c02ed
Author: Albert Astals Cid
Date: Tue May 22 20:36:05 2018 +0200
StandardSecurityHandler::isUnencrypted: Fix uninitialized memory use
fixes oss-fuzz/8426
diff --git a/poppler/SecurityHandler.cc b/poppler/SecurityHandler.cc
index a643f45f..bdfd89f8 100644
--- a/poppler/SecurityHandler.cc
+++ b/poppler/SecurityHandler.cc
@@ -315,6 +315,9 @@ StandardSecurityHandler::~StandardSecurityHandler() {
}
GBool StandardSecurityHandler::isUnencrypted() {
+ if (!ok) {
+return gTrue;
+ }
return encVersion == -1 && encRevision == -1;
}
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
New commits:
commit 31c3832b996acbf04ea833e304d7d21ac4533a57
Author: Albert Astals Cid
Date: Tue May 22 20:25:18 2018 +0200
LZWStream::getCode: Don't left shift negative values
it's undefined behaviour
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 4f075c12..b6bfd838 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -1445,7 +1445,9 @@ int LZWStream::getCode() {
while (inputBits < nextBits) {
if ((c = str->getChar()) == EOF)
return EOF;
-inputBuf = (inputBuf << 8) | (c & 0xff);
+if (likely(inputBuf >= 0)) {
+inputBuf = (inputBuf << 8) | (c & 0xff);
+}
inputBits += 8;
}
code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1);
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Gfx.cc
poppler/Gfx.cc |1 +
1 file changed, 1 insertion(+)
New commits:
commit 2c0a0b07fdb2c76487ca4af7b2f50da9904c6c23
Author: Albert Astals Cid
Date: Tue May 22 20:15:39 2018 +0200
Gfx::doImage: Fix memory leak on malformed documents
fixes oss-fuzz/8452
diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index bed1dc4b..e0ccb4c2 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -4455,6 +4455,7 @@ void Gfx::doImage(Object *ref, Stream *str, GBool
inlineImg) {
}
maskColorSpace = GfxColorSpace::parse(nullptr, &obj1, out, state);
if (!maskColorSpace || maskColorSpace->getMode() != csDeviceGray) {
+ delete maskColorSpace;
goto err1;
}
obj1 = maskDict->lookup("Decode");
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/SplashOutputDev.cc
poppler/SplashOutputDev.cc |7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
New commits:
commit ace7ca3e0dd1570ef6804c0f054742b2996b9b9f
Author: Albert Astals Cid
Date: Tue May 22 20:10:01 2018 +0200
SplashAxialPattern: fix potential divide by zero
diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc
index a19e8c66..140917d3 100644
--- a/poppler/SplashOutputDev.cc
+++ b/poppler/SplashOutputDev.cc
@@ -453,7 +453,12 @@ SplashAxialPattern::SplashAxialPattern(SplashColorMode
colorModeA, GfxState *sta
shadingA->getCoords(&x0, &y0, &x1, &y1);
dx = x1 - x0;
dy = y1 - y0;
- mul = 1 / (dx * dx + dy * dy);
+ const double mul_denominator = (dx * dx + dy * dy);
+ if (unlikely(mul_denominator == 0)) {
+mul = 0;
+ } else {
+mul = 1 / mul_denominator;
+ }
shadingA->getColorSpace()->getDefaultColor(&srcColor);
convertGfxColor(defaultColor, colorModeA, shadingA->getColorSpace(),
&srcColor);
}
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/GfxState.cc
poppler/GfxState.cc |8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
New commits:
commit 3b8634e744aa5ba3b317fd3378ba07a438826827
Author: Albert Astals Cid
Date: Tue May 22 20:07:50 2018 +0200
GfxAxialShading::getParameterRange: Fix potential divide by zero
fixes oss-fuzz/8436
diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index 97c6d0d1..21c09c8f 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -4176,7 +4176,13 @@ void GfxAxialShading::getParameterRange(double *lower,
double *upper,
pdx = x1 - x0;
pdy = y1 - y0;
- invsqnorm = 1.0 / (pdx * pdx + pdy * pdy);
+ const double invsqnorm_denominator = (pdx * pdx + pdy * pdy);
+ if (unlikely(invsqnorm_denominator == 0)) {
+*lower = 0;
+*upper = 0;
+return;
+ }
+ invsqnorm = 1.0 / invsqnorm_denominator;
pdx *= invsqnorm;
pdy *= invsqnorm;
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Function.cc
poppler/Function.cc |6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
New commits:
commit 91079d4f482b35f190a4f2bbd9f4fb6a8ad7c2a2
Author: Albert Astals Cid
Date: Tue May 22 20:01:56 2018 +0200
SampledFunction: Fix potential divide by zero
fixes oss-fuzz/8455
diff --git a/poppler/Function.cc b/poppler/Function.cc
index 5437de35..39c09671 100644
--- a/poppler/Function.cc
+++ b/poppler/Function.cc
@@ -13,7 +13,7 @@
// All changes made under the Poppler project to this file are licensed
// under GPL version 2 or later
//
-// Copyright (C) 2006, 2008-2010, 2013-2015, 2017 Albert Astals Cid
+// Copyright (C) 2006, 2008-2010, 2013-2015, 2017, 2018 Albert Astals Cid
// Copyright (C) 2006 Jeff Muizelaar
// Copyright (C) 2010 Christian Feuers�nger
// Copyright (C) 2011 Andrea Canciani
@@ -321,6 +321,10 @@ SampledFunction::SampledFunction(Object *funcObj, Dict
*dict) {
}
}
for (i = 0; i < m; ++i) {
+if (unlikely((domain[i][1] - domain[i][0]) == 0)) {
+ error(errSyntaxError, -1, "Illegal value in function domain array");
+ return;
+}
inputMul[i] = (encode[i][1] - encode[i][0]) /
(domain[i][1] - domain[i][0]);
}
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/GfxState.cc
poppler/GfxState.cc | 20
1 file changed, 16 insertions(+), 4 deletions(-)
New commits:
commit 6169bfb1ecd289a8235be0b8884a550f5d1ad926
Author: Albert Astals Cid
Date: Tue May 22 19:56:34 2018 +0200
GfxState.cc: Fix potential division by zero
fixes oss-fuzz/8465
diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index 5d7cc6ba..97c6d0d1 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -72,9 +72,13 @@
GBool Matrix::invertTo(Matrix *other) const
{
- double det;
+ const double det_denominator = determinant();
+ if (unlikely(det_denominator == 0)) {
+ *other = {1, 0, 0, 1, 0, 0};
+ return gFalse;
+ }
- det = 1 / determinant();
+ const double det = 1 / det_denominator;
other->m[0] = m[3] * det;
other->m[1] = -m[1] * det;
other->m[2] = -m[2] * det;
@@ -6745,10 +6749,18 @@ void GfxState::setPath(GfxPath *pathA) {
void GfxState::getUserClipBBox(double *xMin, double *yMin,
double *xMax, double *yMax) {
double ictm[6];
- double xMin1, yMin1, xMax1, yMax1, det, tx, ty;
+ double xMin1, yMin1, xMax1, yMax1, tx, ty;
// invert the CTM
- det = 1 / (ctm[0] * ctm[3] - ctm[1] * ctm[2]);
+ const double det_denominator = (ctm[0] * ctm[3] - ctm[1] * ctm[2]);
+ if (unlikely(det_denominator == 0)) {
+ *xMin = 0;
+ *yMin = 0;
+ *xMax = 0;
+ *yMax = 0;
+ return;
+ }
+ const double det = 1 / det_denominator;
ictm[0] = ctm[3] * det;
ictm[1] = -ctm[1] * det;
ictm[2] = -ctm[2] * det;
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Parser.cc
Rebased ref, commits from common ancestor:
commit 0868c499a9f5f37f8df5c9fef03c37496b40fc8a
Author: Albert Astals Cid
Date: Tue May 22 19:42:38 2018 +0200
Parser::makeStream: Fix potential integer overflow
diff --git a/poppler/Parser.cc b/poppler/Parser.cc
index 869e94ad..7ed297cb 100644
--- a/poppler/Parser.cc
+++ b/poppler/Parser.cc
@@ -13,7 +13,7 @@
// All changes made under the Poppler project to this file are licensed
// under GPL version 2 or later
//
-// Copyright (C) 2006, 2009, 201, 2010, 2013, 2014, 2017 Albert Astals Cid
+// Copyright (C) 2006, 2009, 201, 2010, 2013, 2014, 2017, 2018 Albert Astals
Cid
// Copyright (C) 2006 Krzysztof Kowalczyk
// Copyright (C) 2009 Ilya Gorenbein
// Copyright (C) 2012 Hib Eris
@@ -235,6 +235,9 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey,
pos = pos - 1;
lexer->lookCharLastValueCached = Lexer::LOOK_VALUE_NOT_CACHED;
}
+ if (unlikely(pos > LONG_LONG_MAX - length)) {
+ return nullptr;
+ }
lexer->setPos(pos + length);
// refill token buffers and check for 'endstream'
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Parser.cc
poppler/Parser.cc |5 -
1 file changed, 4 insertions(+), 1 deletion(-)
New commits:
commit 12adb97e5a0e28434dfdf94edf52bb3a92aa3910
Author: Albert Astals Cid
Date: Tue May 22 19:42:38 2018 +0200
Parser::makeStream: Fix potential integer overflow
diff --git a/poppler/Parser.cc b/poppler/Parser.cc
index 869e94ad..8ebe7b89 100644
--- a/poppler/Parser.cc
+++ b/poppler/Parser.cc
@@ -13,7 +13,7 @@
// All changes made under the Poppler project to this file are licensed
// under GPL version 2 or later
//
-// Copyright (C) 2006, 2009, 201, 2010, 2013, 2014, 2017 Albert Astals Cid
+// Copyright (C) 2006, 2009, 201, 2010, 2013, 2014, 2017, 2018 Albert Astals
Cid
// Copyright (C) 2006 Krzysztof Kowalczyk
// Copyright (C) 2009 Ilya Gorenbein
// Copyright (C) 2012 Hib Eris
@@ -235,6 +235,9 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey,
pos = pos - 1;
lexer->lookCharLastValueCached = Lexer::LOOK_VALUE_NOT_CACHED;
}
+ if (unlikely((pos > LONG_LONG_MAX - length)) {
+ return nullptr;
+ }
lexer->setPos(pos + length);
// refill token buffers and check for 'endstream'
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/XRef.cc
poppler/XRef.cc |7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
New commits:
commit dbe330678766d1260d7f595d238e90aeae1194d6
Author: Albert Astals Cid
Date: Tue May 22 19:31:34 2018 +0200
XRef::constructXRef: Prevent overflow when calculating newSize
fixes oss-fuzz/8421
diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index 25bc18a4..089c2eb2 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -866,7 +866,6 @@ GBool XRef::constructXRef(GBool *wasReconstructed, GBool
needCatalogDict) {
char buf[256];
Goffset pos;
int num, gen;
- int newSize;
int streamEndsSize;
char *p;
GBool gotRoot;
@@ -961,7 +960,11 @@ GBool XRef::constructXRef(GBool *wasReconstructed, GBool
needCatalogDict) {
while (*p && isspace(*p & 0xff)) ++p;
if (!strncmp(p, "obj", 3)) {
if (num >= size) {
- newSize = (num + 1 + 255) & ~255;
+ if (unlikely(num >= INT_MAX - 1 - 255)) {
+ error(errSyntaxError, -1, "Bad object number");
+ return gFalse;
+ }
+ const int newSize = (num + 1 + 255) & ~255;
if (newSize < 0) {
error(errSyntaxError, -1, "Bad object number");
return gFalse;
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Decrypt.cc
poppler/Decrypt.cc | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
New commits:
commit 224dda4d292a097866f109a9d2cec4b3ba78eb97
Author: Albert Astals Cid
Date: Tue May 22 19:17:20 2018 +0200
Fix out of bounds write in BaseCryptStream
fixes oss-fuzz/8420
diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc
index bf858cec..d4ce0ce3 100644
--- a/poppler/Decrypt.cc
+++ b/poppler/Decrypt.cc
@@ -321,12 +321,14 @@ BaseCryptStream::BaseCryptStream(Stream *strA, Guchar
*fileKey, CryptAlgorithm a
}
switch (algo) {
case cryptRC4:
-objKey[keyLength] = objNum & 0xff;
-objKey[keyLength + 1] = (objNum >> 8) & 0xff;
-objKey[keyLength + 2] = (objNum >> 16) & 0xff;
-objKey[keyLength + 3] = objGen & 0xff;
-objKey[keyLength + 4] = (objGen >> 8) & 0xff;
-md5(objKey, keyLength + 5, objKey);
+if (likely(keyLength < (sizeof(objKey) - 4))) {
+ objKey[keyLength] = objNum & 0xff;
+ objKey[keyLength + 1] = (objNum >> 8) & 0xff;
+ objKey[keyLength + 2] = (objNum >> 16) & 0xff;
+ objKey[keyLength + 3] = objGen & 0xff;
+ objKey[keyLength + 4] = (objGen >> 8) & 0xff;
+ md5(objKey, keyLength + 5, objKey);
+}
if ((objKeyLength = keyLength + 5) > 16) {
objKeyLength = 16;
}
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |1 +
1 file changed, 1 insertion(+)
New commits:
commit 0c0c368fed70c1db64ce04b135fd5b060a1f0653
Author: Albert Astals Cid
Date: Tue May 22 18:26:29 2018 +0200
LZWStream::clearTable: init newChar to 0
it should not be needed because on well formed streams it will be properly
initialized in processNextCode but
this solves an uninitialized memory use on malformed documents
fixes oss-fuzz/8457
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 15a6a9f9..4f075c12 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -1435,6 +1435,7 @@ void LZWStream::clearTable() {
nextBits = 9;
seqIndex = seqLength = 0;
first = gTrue;
+ newChar = 0;
}
int LZWStream::getCode() {
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] splash/Splash.cc
splash/Splash.cc |7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
New commits:
commit e7f59e39a0aca2a8a363fc0edcf25fb5aaada7a5
Author: Albert Astals Cid
Date: Tue May 22 18:22:29 2018 +0200
Splash::scaleMaskYuXu: Fix crash on malformed files
fixes oss-fuzz/8435
fixes oss-fuzz/8441
diff --git a/splash/Splash.cc b/splash/Splash.cc
index ca5c99d0..fc92bc18 100644
--- a/splash/Splash.cc
+++ b/splash/Splash.cc
@@ -11,7 +11,7 @@
// All changes made under the Poppler project to this file are licensed
// under GPL version 2 or later
//
-// Copyright (C) 2005-2017 Albert Astals Cid
+// Copyright (C) 2005-2018 Albert Astals Cid
// Copyright (C) 2005 Marco Pesenti Gritti
// Copyright (C) 2010-2016 Thomas Freitag
// Copyright (C) 2010 Christian Feuersänger
@@ -3550,6 +3550,11 @@ void Splash::scaleMaskYuXu(SplashImageMaskSource src,
void *srcData,
return;
}
+ if (unlikely(srcWidth <= 0)) {
+error(errSyntaxError, -1, "srcWidth <= 0 in Splash::scaleMaskYuXu");
+return;
+ }
+
// Bresenham parameters for y scale
yp = scaledHeight / srcHeight;
yq = scaledHeight % srcHeight;
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/GlobalParams.cc
poppler/GlobalParams.cc |5 -
1 file changed, 4 insertions(+), 1 deletion(-)
New commits:
commit 547f19cd420f2d579d921620545e6496adb6a9fb
Author: Albert Astals Cid
Date: Tue May 22 18:17:58 2018 +0200
Fix crash in "generic" GlobalParams::findSystemFontFile
Not very important since we usually either use the fontconfig or the
windows one
fixes oss-fuzz/8427
diff --git a/poppler/GlobalParams.cc b/poppler/GlobalParams.cc
index 2d8ecad7..6d8941ea 100644
--- a/poppler/GlobalParams.cc
+++ b/poppler/GlobalParams.cc
@@ -1296,9 +1296,12 @@ GooString *GlobalParams::findSystemFontFile(GfxFont
*font,
SysFontInfo *fi;
GooString *path;
+ const GooString *fontName = font->getName();
+ if (!fontName) return nullptr;
+
path = NULL;
lockGlobalParams;
- if ((fi = sysFonts->find(font->getName(), font->isFixedWidth(), gFalse))) {
+ if ((fi = sysFonts->find(fontName, font->isFixedWidth(), gFalse))) {
path = fi->path->copy();
*type = fi->type;
*fontNum = fi->fontNum;
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Gfx.cc
poppler/Gfx.cc |4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
New commits:
commit d1d8dea64db53fb151fede27efd5fd3308820a51
Author: Albert Astals Cid
Date: Tue May 22 18:13:19 2018 +0200
Fix memory leak on malformed files
fixes oss-fuzz/8430
diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index a4d12a70..bed1dc4b 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -1223,15 +1223,13 @@ void Gfx::opSetExtGState(Object args[], int numArgs) {
}
doSoftMask(&obj3, alpha, blendingColorSpace,
isolated, knockout, funcs[0], &backdropColor);
- if (funcs[0]) {
- delete funcs[0];
- }
} else {
error(errSyntaxError, getPos(), "Invalid soft mask in ExtGState -
missing group");
}
} else {
error(errSyntaxError, getPos(), "Invalid soft mask in ExtGState -
missing group");
}
+ delete funcs[0];
} else if (!obj2.isNull()) {
error(errSyntaxError, getPos(), "Invalid soft mask in ExtGState");
}
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
