[poppler] poppler/GfxState.cc

[Albert Astals Cid]

 poppler/GfxState.cc |8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

New commits:
commit a76c8fbd50a3a5cbe0487158e9d2b325e596d2c6
Author: Albert Astals Cid 
Date:   Tue May 29 01:01:26 2018 +0200

GfxSeparationColorSpace::getRGB: ensure color2 doesn't have uninit values

if alt->getNComps() is bigger than func->getOutputSize() (which is most
likely a faulty file) we init those indexes of color2 with 0

fixes oss-fuzz/8586

diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index 0ef42a43..ef5d287e 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -2816,9 +2816,15 @@ void GfxSeparationColorSpace::getRGB(GfxColor *color, 
GfxRGB *rgb) {
   } else {
 x = colToDbl(color->c[0]);
 func->transform(, c);
-for (i = 0; i < alt->getNComps(); ++i) {
+const int altNComps = alt->getNComps();
+for (i = 0; i < altNComps; ++i) {
   color2.c[i] = dblToCol(c[i]);
 }
+if (unlikely(altNComps > func->getOutputSize())) {
+  for (i = func->getOutputSize(); i < altNComps; ++i) {
+   color2.c[i] = 0;
+  }
+}
 alt->getRGB(, rgb);
   }
 }
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler

[poppler] poppler/JBIG2Stream.cc

[Albert Astals Cid]

 poppler/JBIG2Stream.cc |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

New commits:
commit e35fdb1448b7860d697b9c2ec8bda49c7a8a3ae5
Author: Albert Astals Cid 
Date:   Tue May 29 00:59:22 2018 +0200

JBIG2Stream::readTextRegion: Initialize ds

fixes oss-fuzz/8594

diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index fb0407a5..ebeb645e 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -2337,7 +2337,7 @@ JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, 
GBool refine,
   JBIG2Bitmap *bitmap;
   JBIG2Bitmap *symbolBitmap;
   Guint strips;
-  int t = 0, dt = 0, tt, s, ds, sFirst, j;
+  int t = 0, dt = 0, tt, s, ds = 0, sFirst, j;
   int rdw, rdh, rdx, rdy, ri = 0, refDX, refDY, bmSize;
   Guint symID, inst, bw, bh;
 
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler

[poppler] poppler/Gfx.cc

[Albert Astals Cid]

 poppler/Gfx.cc |3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

New commits:
commit bb25c0d46f1f0e037805f0c6dde07f3ea9c9320c
Author: Albert Astals Cid 
Date:   Tue May 29 00:55:28 2018 +0200

Gfx::doRadialShFill: Initialize colorA, colorB and colorC

fixes oss-fuzz/8587

diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 4183e4f7..572f435c 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -2903,7 +2903,7 @@ void Gfx::doRadialShFill(GfxRadialShading *shading) {
   double xMin, yMin, xMax, yMax;
   double x0, y0, r0, x1, y1, r1, t0, t1;
   int nComps;
-  GfxColor colorA, colorB;
+  GfxColor colorA = {}, colorB = {}, colorC = {};
   double xa, ya, xb, yb, ra, rb;
   double ta, tb, sa, sb;
   double sz, xz, yz, sMin, sMax;
@@ -3079,7 +3079,6 @@ void Gfx::doRadialShFill(GfxRadialShading *shading) {
 // same color does not mean all the areas in between have the same 
color too
 int ic = ia + 1;
 for (; ic <= ib; ic++) {
-  GfxColor colorC;
   const double sc = sMin + ((double)ic / (double)radialMaxSplits) * 
(sMax - sMin);
   const double tc = t0 + sc * (t1 - t0);
   getShadingColorRadialHelper(t0, t1, tc, shading, );
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler

[poppler] fofi/FoFiType1.cc

[Albert Astals Cid]

 fofi/FoFiType1.cc |6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

New commits:
commit b8cf8b04cbd1c0c5643cc77ed7b0b60525ecf080
Author: Albert Astals Cid 
Date:   Mon May 28 23:51:32 2018 +0200

FoFiType1::parse: Don't copy to buf more than the available file

fixes oss-fuzz/8576

diff --git a/fofi/FoFiType1.cc b/fofi/FoFiType1.cc
index b38c2b4c..2806d92f 100644
--- a/fofi/FoFiType1.cc
+++ b/fofi/FoFiType1.cc
@@ -340,8 +340,10 @@ void FoFiType1::parse() {
 } else if (!gotMatrix &&
   (line + 11 <= (char*)file + len) &&
   !strncmp(line, "/FontMatrix", 11)) {
-  strncpy(buf, line + 11, 255);
-  buf[255] = '\0';
+  const auto availableFile = (char*)file + len - (line + 11);
+  const int bufLen = availableFile < 255 ? availableFile : 255;
+  strncpy(buf, line + 11, bufLen);
+  buf[bufLen] = '\0';
   if ((p = strchr(buf, '['))) {
++p;
if ((p2 = strchr(p, ']'))) {
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler

[poppler] poppler/GfxState.cc

[Albert Astals Cid]

 poppler/GfxState.cc |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

New commits:
commit 10a3dc2a9c92349e498ea36bb342b821dcfc9d76
Author: Albert Astals Cid 
Date:   Mon May 28 17:44:34 2018 +0200

GfxState.cc: Fix undefined behaviour when compBits is 31

it's a technical issue since according to spec biggest
valid value for compBits is 16, but this is simpler imho

fixes oss-fuzz/8582

diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index d459e73f..0ef42a43 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -4828,7 +4828,7 @@ GfxGouraudTriangleShading 
*GfxGouraudTriangleShading::parse(GfxResources *res, i
 for (i = 0; 5 + 2*i < obj1.arrayGetLength() && i < gfxColorMaxComps; ++i) {
   cMin[i] = (obj2 = obj1.arrayGet(4 + 2*i), obj2.getNum());
   cMax[i] = (obj2 = obj1.arrayGet(5 + 2*i), obj2.getNum());
-  cMul[i] = (cMax[i] - cMin[i]) / (double)((1 << compBits) - 1);
+  cMul[i] = (cMax[i] - cMin[i]) / (double)((1u << compBits) - 1);
 }
 nComps = i;
 
@@ -5173,7 +5173,7 @@ GfxPatchMeshShading 
*GfxPatchMeshShading::parse(GfxResources *res, int typeA, Di
 for (i = 0; 5 + 2*i < obj1.arrayGetLength() && i < gfxColorMaxComps; ++i) {
   cMin[i] = (obj2 = obj1.arrayGet(4 + 2*i), obj2.getNum());
   cMax[i] = (obj2 = obj1.arrayGet(5 + 2*i), obj2.getNum());
-  cMul[i] = (cMax[i] - cMin[i]) / (double)((1 << compBits) - 1);
+  cMul[i] = (cMax[i] - cMin[i]) / (double)((1u << compBits) - 1);
 }
 nComps = i;
 
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler