Re: [poppler] poppler/Stream.cc
Hello, maybe the simplest solution would to turn inputBuf into an unsigned int and convert to signed int after extracting the bits out of it? Best regards, Adam Am 23.05.2018 um 00:24 schrieb Albert Astals Cid: > poppler/Stream.cc |4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > New commits: > commit 58e056c4b15f262b7715f8061d6885eb80044d0d > Author: Albert Astals Cid > Date: Wed May 23 00:23:19 2018 +0200 > > Revert 31c3832b996acbf04ea833e304d7d21ac4533a57 > > So shifting left negative values is undefined behaviour according to the > spec but if we don't do it we break, so we seem to be depending on this > undefined behaviour, will try to figure out a better fix > > diff --git a/poppler/Stream.cc b/poppler/Stream.cc > index b6bfd838..4f075c12 100644 > --- a/poppler/Stream.cc > +++ b/poppler/Stream.cc > @@ -1445,9 +1445,7 @@ int LZWStream::getCode() { >while (inputBits < nextBits) { > if ((c = str->getChar()) == EOF) >return EOF; > -if (likely(inputBuf >= 0)) { > -inputBuf = (inputBuf << 8) | (c & 0xff); > -} > +inputBuf = (inputBuf << 8) | (c & 0xff); > inputBits += 8; >} >code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1); > ___ > poppler mailing list > poppler@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/poppler > signature.asc Description: OpenPGP digital signature ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Decrypt.cc
poppler/Decrypt.cc |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit 3ca2d43b7ddcca08bc026c6564f89ffbe0dde506 Author: Albert Astals Cid Date: Wed May 23 00:27:08 2018 +0200 warning-- diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc index d4ce0ce3..83d18824 100644 --- a/poppler/Decrypt.cc +++ b/poppler/Decrypt.cc @@ -321,7 +321,7 @@ BaseCryptStream::BaseCryptStream(Stream *strA, Guchar *fileKey, CryptAlgorithm a } switch (algo) { case cryptRC4: -if (likely(keyLength < (sizeof(objKey) - 4))) { +if (likely(keyLength < static_cast(sizeof(objKey) - 4))) { objKey[keyLength] = objNum & 0xff; objKey[keyLength + 1] = (objNum >> 8) & 0xff; objKey[keyLength + 2] = (objNum >> 16) & 0xff; ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) New commits: commit 58e056c4b15f262b7715f8061d6885eb80044d0d Author: Albert Astals Cid Date: Wed May 23 00:23:19 2018 +0200 Revert 31c3832b996acbf04ea833e304d7d21ac4533a57 So shifting left negative values is undefined behaviour according to the spec but if we don't do it we break, so we seem to be depending on this undefined behaviour, will try to figure out a better fix diff --git a/poppler/Stream.cc b/poppler/Stream.cc index b6bfd838..4f075c12 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -1445,9 +1445,7 @@ int LZWStream::getCode() { while (inputBits < nextBits) { if ((c = str->getChar()) == EOF) return EOF; -if (likely(inputBuf >= 0)) { -inputBuf = (inputBuf << 8) | (c & 0xff); -} +inputBuf = (inputBuf << 8) | (c & 0xff); inputBits += 8; } code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1); ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Gfx.cc
poppler/Gfx.cc |7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) New commits: commit a6c2eb671f08beb682e086d5f6791fdb78906a7c Author: Albert Astals Cid Date: Tue May 22 22:12:03 2018 +0200 Make sure dash[i] is intialized even if obj is not a number fixes oss-fuzz/8462 diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index e0ccb4c2..01ededcd 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -947,11 +947,10 @@ void Gfx::opSetDash(Object args[], int numArgs) { dash = nullptr; } else { dash = (double *)gmallocn(length, sizeof(double)); +bool dummyOk; for (i = 0; i < length; ++i) { - Object obj = a->get(i); - if (obj.isNum()) { - dash[i] = obj.getNum(); - } + const Object obj = a->get(i); + dash[i] = obj.getNum(&dummyOk); } } state->setLineDash(dash, length, args[1].getNum()); ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Hints.cc
poppler/Hints.cc |7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) New commits: commit 083bfa59378be1c008cb6543f7e9bebde29a4079 Author: Albert Astals Cid Date: Tue May 22 22:01:35 2018 +0200 nBitsDiffObjects can only be 32 as per spec fixes oss-fuzz/8464 diff --git a/poppler/Hints.cc b/poppler/Hints.cc index 2f5fec6c..ecee0468 100644 --- a/poppler/Hints.cc +++ b/poppler/Hints.cc @@ -5,7 +5,7 @@ // This file is licensed under the GPLv2 or later // // Copyright 2010, 2012 Hib Eris -// Copyright 2010, 2011, 2013, 2014, 2016, 2017 Albert Astals Cid +// Copyright 2010, 2011, 2013, 2014, 2016-2018 Albert Astals Cid // Copyright 2010, 2013 Pino Toscano // Copyright 2013 Adrian Johnson // Copyright 2014 Fabio D'Urso @@ -258,6 +258,11 @@ GBool Hints::readPageOffsetTable(Stream *str) if (objectOffsetFirst >= hintsOffset) objectOffsetFirst += hintsLength; nBitsDiffObjects = sbr.readBits(16); + if (nBitsDiffObjects > 32) { +error(errSyntaxWarning, -1, "Invalid number of bits needed to represent the difference between the greatest and least number of objects in a page"); +nPages = 0; +return gFalse; + } pageLengthLeast = sbr.readBits(32); ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Parser.cc
poppler/Parser.cc |3 +++ 1 file changed, 3 insertions(+) New commits: commit 942a426f2844b66758b6b443234c3686d61420cc Author: Albert Astals Cid Date: Tue May 22 21:41:51 2018 +0200 Parser::makeStream: Make sure length is not negative fixes oss-fuzz/8469 diff --git a/poppler/Parser.cc b/poppler/Parser.cc index 7ed297cb..ce91e325 100644 --- a/poppler/Parser.cc +++ b/poppler/Parser.cc @@ -235,6 +235,9 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey, pos = pos - 1; lexer->lookCharLastValueCached = Lexer::LOOK_VALUE_NOT_CACHED; } + if (unlikely(length < 0)) { + return nullptr; + } if (unlikely(pos > LONG_LONG_MAX - length)) { return nullptr; } ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/SecurityHandler.cc
poppler/SecurityHandler.cc |3 +++ 1 file changed, 3 insertions(+) New commits: commit bf03344ad26b1227b5052420feabe062441c02ed Author: Albert Astals Cid Date: Tue May 22 20:36:05 2018 +0200 StandardSecurityHandler::isUnencrypted: Fix uninitialized memory use fixes oss-fuzz/8426 diff --git a/poppler/SecurityHandler.cc b/poppler/SecurityHandler.cc index a643f45f..bdfd89f8 100644 --- a/poppler/SecurityHandler.cc +++ b/poppler/SecurityHandler.cc @@ -315,6 +315,9 @@ StandardSecurityHandler::~StandardSecurityHandler() { } GBool StandardSecurityHandler::isUnencrypted() { + if (!ok) { +return gTrue; + } return encVersion == -1 && encRevision == -1; } ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) New commits: commit 31c3832b996acbf04ea833e304d7d21ac4533a57 Author: Albert Astals Cid Date: Tue May 22 20:25:18 2018 +0200 LZWStream::getCode: Don't left shift negative values it's undefined behaviour diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 4f075c12..b6bfd838 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -1445,7 +1445,9 @@ int LZWStream::getCode() { while (inputBits < nextBits) { if ((c = str->getChar()) == EOF) return EOF; -inputBuf = (inputBuf << 8) | (c & 0xff); +if (likely(inputBuf >= 0)) { +inputBuf = (inputBuf << 8) | (c & 0xff); +} inputBits += 8; } code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1); ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Gfx.cc
poppler/Gfx.cc |1 + 1 file changed, 1 insertion(+) New commits: commit 2c0a0b07fdb2c76487ca4af7b2f50da9904c6c23 Author: Albert Astals Cid Date: Tue May 22 20:15:39 2018 +0200 Gfx::doImage: Fix memory leak on malformed documents fixes oss-fuzz/8452 diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index bed1dc4b..e0ccb4c2 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -4455,6 +4455,7 @@ void Gfx::doImage(Object *ref, Stream *str, GBool inlineImg) { } maskColorSpace = GfxColorSpace::parse(nullptr, &obj1, out, state); if (!maskColorSpace || maskColorSpace->getMode() != csDeviceGray) { + delete maskColorSpace; goto err1; } obj1 = maskDict->lookup("Decode"); ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/SplashOutputDev.cc
poppler/SplashOutputDev.cc |7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) New commits: commit ace7ca3e0dd1570ef6804c0f054742b2996b9b9f Author: Albert Astals Cid Date: Tue May 22 20:10:01 2018 +0200 SplashAxialPattern: fix potential divide by zero diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc index a19e8c66..140917d3 100644 --- a/poppler/SplashOutputDev.cc +++ b/poppler/SplashOutputDev.cc @@ -453,7 +453,12 @@ SplashAxialPattern::SplashAxialPattern(SplashColorMode colorModeA, GfxState *sta shadingA->getCoords(&x0, &y0, &x1, &y1); dx = x1 - x0; dy = y1 - y0; - mul = 1 / (dx * dx + dy * dy); + const double mul_denominator = (dx * dx + dy * dy); + if (unlikely(mul_denominator == 0)) { +mul = 0; + } else { +mul = 1 / mul_denominator; + } shadingA->getColorSpace()->getDefaultColor(&srcColor); convertGfxColor(defaultColor, colorModeA, shadingA->getColorSpace(), &srcColor); } ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/GfxState.cc
poppler/GfxState.cc |8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) New commits: commit 3b8634e744aa5ba3b317fd3378ba07a438826827 Author: Albert Astals Cid Date: Tue May 22 20:07:50 2018 +0200 GfxAxialShading::getParameterRange: Fix potential divide by zero fixes oss-fuzz/8436 diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc index 97c6d0d1..21c09c8f 100644 --- a/poppler/GfxState.cc +++ b/poppler/GfxState.cc @@ -4176,7 +4176,13 @@ void GfxAxialShading::getParameterRange(double *lower, double *upper, pdx = x1 - x0; pdy = y1 - y0; - invsqnorm = 1.0 / (pdx * pdx + pdy * pdy); + const double invsqnorm_denominator = (pdx * pdx + pdy * pdy); + if (unlikely(invsqnorm_denominator == 0)) { +*lower = 0; +*upper = 0; +return; + } + invsqnorm = 1.0 / invsqnorm_denominator; pdx *= invsqnorm; pdy *= invsqnorm; ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Function.cc
poppler/Function.cc |6 +- 1 file changed, 5 insertions(+), 1 deletion(-) New commits: commit 91079d4f482b35f190a4f2bbd9f4fb6a8ad7c2a2 Author: Albert Astals Cid Date: Tue May 22 20:01:56 2018 +0200 SampledFunction: Fix potential divide by zero fixes oss-fuzz/8455 diff --git a/poppler/Function.cc b/poppler/Function.cc index 5437de35..39c09671 100644 --- a/poppler/Function.cc +++ b/poppler/Function.cc @@ -13,7 +13,7 @@ // All changes made under the Poppler project to this file are licensed // under GPL version 2 or later // -// Copyright (C) 2006, 2008-2010, 2013-2015, 2017 Albert Astals Cid +// Copyright (C) 2006, 2008-2010, 2013-2015, 2017, 2018 Albert Astals Cid // Copyright (C) 2006 Jeff Muizelaar // Copyright (C) 2010 Christian Feuers�nger // Copyright (C) 2011 Andrea Canciani @@ -321,6 +321,10 @@ SampledFunction::SampledFunction(Object *funcObj, Dict *dict) { } } for (i = 0; i < m; ++i) { +if (unlikely((domain[i][1] - domain[i][0]) == 0)) { + error(errSyntaxError, -1, "Illegal value in function domain array"); + return; +} inputMul[i] = (encode[i][1] - encode[i][0]) / (domain[i][1] - domain[i][0]); } ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/GfxState.cc
poppler/GfxState.cc | 20 1 file changed, 16 insertions(+), 4 deletions(-) New commits: commit 6169bfb1ecd289a8235be0b8884a550f5d1ad926 Author: Albert Astals Cid Date: Tue May 22 19:56:34 2018 +0200 GfxState.cc: Fix potential division by zero fixes oss-fuzz/8465 diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc index 5d7cc6ba..97c6d0d1 100644 --- a/poppler/GfxState.cc +++ b/poppler/GfxState.cc @@ -72,9 +72,13 @@ GBool Matrix::invertTo(Matrix *other) const { - double det; + const double det_denominator = determinant(); + if (unlikely(det_denominator == 0)) { + *other = {1, 0, 0, 1, 0, 0}; + return gFalse; + } - det = 1 / determinant(); + const double det = 1 / det_denominator; other->m[0] = m[3] * det; other->m[1] = -m[1] * det; other->m[2] = -m[2] * det; @@ -6745,10 +6749,18 @@ void GfxState::setPath(GfxPath *pathA) { void GfxState::getUserClipBBox(double *xMin, double *yMin, double *xMax, double *yMax) { double ictm[6]; - double xMin1, yMin1, xMax1, yMax1, det, tx, ty; + double xMin1, yMin1, xMax1, yMax1, tx, ty; // invert the CTM - det = 1 / (ctm[0] * ctm[3] - ctm[1] * ctm[2]); + const double det_denominator = (ctm[0] * ctm[3] - ctm[1] * ctm[2]); + if (unlikely(det_denominator == 0)) { + *xMin = 0; + *yMin = 0; + *xMax = 0; + *yMax = 0; + return; + } + const double det = 1 / det_denominator; ictm[0] = ctm[3] * det; ictm[1] = -ctm[1] * det; ictm[2] = -ctm[2] * det; ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Parser.cc
Rebased ref, commits from common ancestor: commit 0868c499a9f5f37f8df5c9fef03c37496b40fc8a Author: Albert Astals Cid Date: Tue May 22 19:42:38 2018 +0200 Parser::makeStream: Fix potential integer overflow diff --git a/poppler/Parser.cc b/poppler/Parser.cc index 869e94ad..7ed297cb 100644 --- a/poppler/Parser.cc +++ b/poppler/Parser.cc @@ -13,7 +13,7 @@ // All changes made under the Poppler project to this file are licensed // under GPL version 2 or later // -// Copyright (C) 2006, 2009, 201, 2010, 2013, 2014, 2017 Albert Astals Cid +// Copyright (C) 2006, 2009, 201, 2010, 2013, 2014, 2017, 2018 Albert Astals Cid // Copyright (C) 2006 Krzysztof Kowalczyk // Copyright (C) 2009 Ilya Gorenbein // Copyright (C) 2012 Hib Eris @@ -235,6 +235,9 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey, pos = pos - 1; lexer->lookCharLastValueCached = Lexer::LOOK_VALUE_NOT_CACHED; } + if (unlikely(pos > LONG_LONG_MAX - length)) { + return nullptr; + } lexer->setPos(pos + length); // refill token buffers and check for 'endstream' ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Parser.cc
poppler/Parser.cc |5 - 1 file changed, 4 insertions(+), 1 deletion(-) New commits: commit 12adb97e5a0e28434dfdf94edf52bb3a92aa3910 Author: Albert Astals Cid Date: Tue May 22 19:42:38 2018 +0200 Parser::makeStream: Fix potential integer overflow diff --git a/poppler/Parser.cc b/poppler/Parser.cc index 869e94ad..8ebe7b89 100644 --- a/poppler/Parser.cc +++ b/poppler/Parser.cc @@ -13,7 +13,7 @@ // All changes made under the Poppler project to this file are licensed // under GPL version 2 or later // -// Copyright (C) 2006, 2009, 201, 2010, 2013, 2014, 2017 Albert Astals Cid +// Copyright (C) 2006, 2009, 201, 2010, 2013, 2014, 2017, 2018 Albert Astals Cid // Copyright (C) 2006 Krzysztof Kowalczyk // Copyright (C) 2009 Ilya Gorenbein // Copyright (C) 2012 Hib Eris @@ -235,6 +235,9 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey, pos = pos - 1; lexer->lookCharLastValueCached = Lexer::LOOK_VALUE_NOT_CACHED; } + if (unlikely((pos > LONG_LONG_MAX - length)) { + return nullptr; + } lexer->setPos(pos + length); // refill token buffers and check for 'endstream' ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/XRef.cc
poppler/XRef.cc |7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) New commits: commit dbe330678766d1260d7f595d238e90aeae1194d6 Author: Albert Astals Cid Date: Tue May 22 19:31:34 2018 +0200 XRef::constructXRef: Prevent overflow when calculating newSize fixes oss-fuzz/8421 diff --git a/poppler/XRef.cc b/poppler/XRef.cc index 25bc18a4..089c2eb2 100644 --- a/poppler/XRef.cc +++ b/poppler/XRef.cc @@ -866,7 +866,6 @@ GBool XRef::constructXRef(GBool *wasReconstructed, GBool needCatalogDict) { char buf[256]; Goffset pos; int num, gen; - int newSize; int streamEndsSize; char *p; GBool gotRoot; @@ -961,7 +960,11 @@ GBool XRef::constructXRef(GBool *wasReconstructed, GBool needCatalogDict) { while (*p && isspace(*p & 0xff)) ++p; if (!strncmp(p, "obj", 3)) { if (num >= size) { - newSize = (num + 1 + 255) & ~255; + if (unlikely(num >= INT_MAX - 1 - 255)) { + error(errSyntaxError, -1, "Bad object number"); + return gFalse; + } + const int newSize = (num + 1 + 255) & ~255; if (newSize < 0) { error(errSyntaxError, -1, "Bad object number"); return gFalse; ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Decrypt.cc
poppler/Decrypt.cc | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) New commits: commit 224dda4d292a097866f109a9d2cec4b3ba78eb97 Author: Albert Astals Cid Date: Tue May 22 19:17:20 2018 +0200 Fix out of bounds write in BaseCryptStream fixes oss-fuzz/8420 diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc index bf858cec..d4ce0ce3 100644 --- a/poppler/Decrypt.cc +++ b/poppler/Decrypt.cc @@ -321,12 +321,14 @@ BaseCryptStream::BaseCryptStream(Stream *strA, Guchar *fileKey, CryptAlgorithm a } switch (algo) { case cryptRC4: -objKey[keyLength] = objNum & 0xff; -objKey[keyLength + 1] = (objNum >> 8) & 0xff; -objKey[keyLength + 2] = (objNum >> 16) & 0xff; -objKey[keyLength + 3] = objGen & 0xff; -objKey[keyLength + 4] = (objGen >> 8) & 0xff; -md5(objKey, keyLength + 5, objKey); +if (likely(keyLength < (sizeof(objKey) - 4))) { + objKey[keyLength] = objNum & 0xff; + objKey[keyLength + 1] = (objNum >> 8) & 0xff; + objKey[keyLength + 2] = (objNum >> 16) & 0xff; + objKey[keyLength + 3] = objGen & 0xff; + objKey[keyLength + 4] = (objGen >> 8) & 0xff; + md5(objKey, keyLength + 5, objKey); +} if ((objKeyLength = keyLength + 5) > 16) { objKeyLength = 16; } ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |1 + 1 file changed, 1 insertion(+) New commits: commit 0c0c368fed70c1db64ce04b135fd5b060a1f0653 Author: Albert Astals Cid Date: Tue May 22 18:26:29 2018 +0200 LZWStream::clearTable: init newChar to 0 it should not be needed because on well formed streams it will be properly initialized in processNextCode but this solves an uninitialized memory use on malformed documents fixes oss-fuzz/8457 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 15a6a9f9..4f075c12 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -1435,6 +1435,7 @@ void LZWStream::clearTable() { nextBits = 9; seqIndex = seqLength = 0; first = gTrue; + newChar = 0; } int LZWStream::getCode() { ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] splash/Splash.cc
splash/Splash.cc |7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) New commits: commit e7f59e39a0aca2a8a363fc0edcf25fb5aaada7a5 Author: Albert Astals Cid Date: Tue May 22 18:22:29 2018 +0200 Splash::scaleMaskYuXu: Fix crash on malformed files fixes oss-fuzz/8435 fixes oss-fuzz/8441 diff --git a/splash/Splash.cc b/splash/Splash.cc index ca5c99d0..fc92bc18 100644 --- a/splash/Splash.cc +++ b/splash/Splash.cc @@ -11,7 +11,7 @@ // All changes made under the Poppler project to this file are licensed // under GPL version 2 or later // -// Copyright (C) 2005-2017 Albert Astals Cid +// Copyright (C) 2005-2018 Albert Astals Cid // Copyright (C) 2005 Marco Pesenti Gritti // Copyright (C) 2010-2016 Thomas Freitag // Copyright (C) 2010 Christian Feuersänger @@ -3550,6 +3550,11 @@ void Splash::scaleMaskYuXu(SplashImageMaskSource src, void *srcData, return; } + if (unlikely(srcWidth <= 0)) { +error(errSyntaxError, -1, "srcWidth <= 0 in Splash::scaleMaskYuXu"); +return; + } + // Bresenham parameters for y scale yp = scaledHeight / srcHeight; yq = scaledHeight % srcHeight; ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/GlobalParams.cc
poppler/GlobalParams.cc |5 - 1 file changed, 4 insertions(+), 1 deletion(-) New commits: commit 547f19cd420f2d579d921620545e6496adb6a9fb Author: Albert Astals Cid Date: Tue May 22 18:17:58 2018 +0200 Fix crash in "generic" GlobalParams::findSystemFontFile Not very important since we usually either use the fontconfig or the windows one fixes oss-fuzz/8427 diff --git a/poppler/GlobalParams.cc b/poppler/GlobalParams.cc index 2d8ecad7..6d8941ea 100644 --- a/poppler/GlobalParams.cc +++ b/poppler/GlobalParams.cc @@ -1296,9 +1296,12 @@ GooString *GlobalParams::findSystemFontFile(GfxFont *font, SysFontInfo *fi; GooString *path; + const GooString *fontName = font->getName(); + if (!fontName) return nullptr; + path = NULL; lockGlobalParams; - if ((fi = sysFonts->find(font->getName(), font->isFixedWidth(), gFalse))) { + if ((fi = sysFonts->find(fontName, font->isFixedWidth(), gFalse))) { path = fi->path->copy(); *type = fi->type; *fontNum = fi->fontNum; ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Gfx.cc
poppler/Gfx.cc |4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) New commits: commit d1d8dea64db53fb151fede27efd5fd3308820a51 Author: Albert Astals Cid Date: Tue May 22 18:13:19 2018 +0200 Fix memory leak on malformed files fixes oss-fuzz/8430 diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index a4d12a70..bed1dc4b 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -1223,15 +1223,13 @@ void Gfx::opSetExtGState(Object args[], int numArgs) { } doSoftMask(&obj3, alpha, blendingColorSpace, isolated, knockout, funcs[0], &backdropColor); - if (funcs[0]) { - delete funcs[0]; - } } else { error(errSyntaxError, getPos(), "Invalid soft mask in ExtGState - missing group"); } } else { error(errSyntaxError, getPos(), "Invalid soft mask in ExtGState - missing group"); } + delete funcs[0]; } else if (!obj2.isNull()) { error(errSyntaxError, getPos(), "Invalid soft mask in ExtGState"); } ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler