[poppler] poppler/Stream.cc
poppler/Stream.cc |9 + 1 file changed, 5 insertions(+), 4 deletions(-) New commits: commit 2cf3cf58ed9f70b99e6ee93c57bb434a52a0e857 Author: Albert Astals Cid Date: Thu Apr 27 11:50:45 2023 +0200 Check overflow in nvals correctly diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 07720632..42d18880 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -14,7 +14,7 @@ // under GPL version 2 or later // // Copyright (C) 2005 Jeff Muizelaar -// Copyright (C) 2006-2010, 2012-2014, 2016-2021 Albert Astals Cid +// Copyright (C) 2006-2010, 2012-2014, 2016-2021, 2023 Albert Astals Cid // Copyright (C) 2007 Krzysztof Kowalczyk // Copyright (C) 2008 Julien Rebetez // Copyright (C) 2009 Carlos Garcia Campos @@ -728,9 +728,10 @@ StreamPredictor::StreamPredictor(Stream *strA, int predictorA, int widthA, int n predLine = nullptr; ok = false; -nVals = width * nComps; -if (width <= 0 || nComps <= 0 || nBits <= 0 || nComps > gfxColorMaxComps || nBits > 16 || width >= INT_MAX / nComps || // check for overflow in nVals -nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes +if (checkedMultiply(width, nComps, &nVals)) { +return; +} +if (width <= 0 || nComps <= 0 || nBits <= 0 || nComps > gfxColorMaxComps || nBits > 16 || nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes return; } pixBytes = (nComps * nBits + 7) >> 3;
[poppler] poppler/Stream.cc
poppler/Stream.cc | 22 ++ 1 file changed, 14 insertions(+), 8 deletions(-) New commits: commit d049732d60c8c44f8945f5a99ab6a4d7c252 Author: Albert Astals Cid Date: Tue Jan 5 23:55:46 2021 +0100 Generalize the EOFStream wrapping EOFStream code diff --git a/poppler/Stream.cc b/poppler/Stream.cc index cd1189d4..666d5b2a 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -167,6 +167,16 @@ GooString *Stream::getPSFilter(int psLevel, const char *indent) return new GooString(); } +static Stream *wrapEOFStream(Stream *str) +{ +if (dynamic_cast(str)) { +// str is already a EOFStream, no need to wrap it in another EOFStream +return str; +} else { +return new EOFStream(str); +} +} + Stream *Stream::addFilters(Dict *dict, int recursion) { Object obj, obj2; @@ -196,11 +206,7 @@ Stream *Stream::addFilters(Dict *dict, int recursion) str = makeFilter(obj2.getName(), str, ¶ms2, recursion); } else { error(errSyntaxError, getPos(), "Bad filter name"); -if (dynamic_cast(str)) { -// str is already a EOFStream, no need to wrap it in another EOFStream -} else { -str = new EOFStream(str); -} +str = wrapEOFStream(str); } } } else if (!obj.isNull()) { @@ -342,7 +348,7 @@ Stream *Stream::makeFilter(const char *name, Stream *str, Object *params, int re str = new DCTStream(str, colorXform, dict, recursion); #else error(errSyntaxError, getPos(), "Unknown filter '{0:s}'", name); -str = new EOFStream(str); +str = wrapEOFStream(str); #endif } else if (!strcmp(name, "FlateDecode") || !strcmp(name, "Fl")) { pred = 1; @@ -377,7 +383,7 @@ Stream *Stream::makeFilter(const char *name, Stream *str, Object *params, int re str = new JPXStream(str); #else error(errSyntaxError, getPos(), "Unknown filter '{0:s}'", name); -str = new EOFStream(str); +str = wrapEOFStream(str); #endif } else if (!strcmp(name, "Crypt")) { if (str->getKind() == strCrypt) { @@ -387,7 +393,7 @@ Stream *Stream::makeFilter(const char *name, Stream *str, Object *params, int re } } else { error(errSyntaxError, getPos(), "Unknown filter '{0:s}'", name); -str = new EOFStream(str); +str = wrapEOFStream(str); } return str; } ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit af267b33cc42ccb9d1a89e06fed1481657c4b3f0 Author: Albert Astals Cid Date: Sun Jan 3 12:25:01 2021 +0100 Update (C) diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 3518c257..cd1189d4 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -14,7 +14,7 @@ // under GPL version 2 or later // // Copyright (C) 2005 Jeff Muizelaar -// Copyright (C) 2006-2010, 2012-2014, 2016-2020 Albert Astals Cid +// Copyright (C) 2006-2010, 2012-2014, 2016-2021 Albert Astals Cid // Copyright (C) 2007 Krzysztof Kowalczyk // Copyright (C) 2008 Julien Rebetez // Copyright (C) 2009 Carlos Garcia Campos ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |6 +- 1 file changed, 5 insertions(+), 1 deletion(-) New commits: commit 72183a3ff881316bb470cc0f6db08cf9ef044e53 Author: Albert Astals Cid Date: Sun Jan 3 12:10:55 2021 +0100 Don't wrap EOFStream in an EOFStream It's unneeded and can be relatively easily used to create stack overflows oss-fuzz/29184 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index fb36e712..3518c257 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -196,7 +196,11 @@ Stream *Stream::addFilters(Dict *dict, int recursion) str = makeFilter(obj2.getName(), str, ¶ms2, recursion); } else { error(errSyntaxError, getPos(), "Bad filter name"); -str = new EOFStream(str); +if (dynamic_cast(str)) { +// str is already a EOFStream, no need to wrap it in another EOFStream +} else { +str = new EOFStream(str); +} } } } else if (!obj.isNull()) { ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc | 15 +-- 1 file changed, 9 insertions(+), 6 deletions(-) New commits: commit cd145d56617e7e7501a0054f42b9068babed3dc5 Author: Albert Astals Cid Date: Fri Nov 20 09:13:34 2020 +0100 Fix rendering of some files StreamPredictor::getNextLine when predictori == 2 && nBits == 1 && nComps == 1 Issue #976 Issue #567 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 83c5f75e..ba35a10f 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -749,7 +749,7 @@ bool StreamPredictor::getNextLine() unsigned char upLeftBuf[gfxColorMaxComps * 2 + 1]; int left, up, upLeft, p, pa, pb, pc; int c; -unsigned long inBuf, outBuf, bitMask; +unsigned long inBuf, outBuf; int inBits, outBits; int i, j, k, kk; @@ -822,10 +822,13 @@ bool StreamPredictor::getNextLine() if (predictor == 2) { if (nBits == 1 && nComps == 1) { inBuf = predLine[pixBytes - 1]; -for (i = pixBytes; i < rowBytes; i += 8) { -// 1-bit add is just xor -inBuf = (inBuf << 8) | predLine[i]; -predLine[i] ^= inBuf >> nComps; +for (i = pixBytes; i < rowBytes; ++i) { +c = predLine[i] ^ inBuf; +c ^= c >> 1; +c ^= c >> 2; +c ^= c >> 4; +inBuf = (c & 1) << 7; +predLine[i] = c; } } else if (nBits == 8) { for (i = pixBytes; i < rowBytes; ++i) { @@ -833,7 +836,7 @@ bool StreamPredictor::getNextLine() } } else { memset(upLeftBuf, 0, nComps + 1); -bitMask = (1 << nBits) - 1; +const unsigned long bitMask = (1 << nBits) - 1; inBuf = outBuf = 0; inBits = outBits = 0; j = k = pixBytes; ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc poppler/Stream.h
poppler/Stream.cc |2 +- poppler/Stream.h |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) New commits: commit 56cf80b2c53fa61d29b4718df092248a062c61e0 Author: Albert Astals Cid Date: Mon Sep 14 22:56:15 2020 +0200 Update (C) diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 2220f29c..c36ce113 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -22,7 +22,7 @@ // Copyright (C) 2009 Stefan Thomas // Copyright (C) 2010 Hib Eris // Copyright (C) 2010 Tomas Hoger -// Copyright (C) 2011, 2012, 2016 William Bader +// Copyright (C) 2011, 2012, 2016, 2020 William Bader // Copyright (C) 2012, 2013, 2020 Thomas Freitag // Copyright (C) 2012 Oliver Sander // Copyright (C) 2012 Fabio D'Urso diff --git a/poppler/Stream.h b/poppler/Stream.h index abd60d4b..7d51db60 100644 --- a/poppler/Stream.h +++ b/poppler/Stream.h @@ -19,7 +19,7 @@ // Copyright (C) 2009 Carlos Garcia Campos // Copyright (C) 2009 Stefan Thomas // Copyright (C) 2010 Hib Eris -// Copyright (C) 2011, 2012, 2016 William Bader +// Copyright (C) 2011, 2012, 2016, 2020 William Bader // Copyright (C) 2012, 2013 Thomas Freitag // Copyright (C) 2012, 2013 Fabio D'Urso // Copyright (C) 2013, 2017 Adrian Johnson ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc poppler/Stream.h
poppler/Stream.cc | 50 ++ poppler/Stream.h |4 ++-- 2 files changed, 28 insertions(+), 26 deletions(-) New commits: commit 7b9aa28e5eb613e7a9d7c6c688aea4025a35543a Author: Albert Astals Cid Date: Sun Sep 29 17:59:52 2019 +0200 Also switch the const_cast in Stream This way we only const_cast in free() diff --git a/poppler/Stream.cc b/poppler/Stream.cc index bd918efb..8c29f8eb 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -4433,7 +4433,7 @@ static const FlateCode flateFixedLitCodeTabCodes[512] = { }; FlateHuffmanTab FlateStream::fixedLitCodeTab = { - const_cast(flateFixedLitCodeTabCodes), 9 + flateFixedLitCodeTabCodes, 9 }; static const FlateCode flateFixedDistCodeTabCodes[32] = { @@ -4472,7 +4472,7 @@ static const FlateCode flateFixedDistCodeTabCodes[32] = { }; FlateHuffmanTab FlateStream::fixedDistCodeTab = { - const_cast(flateFixedDistCodeTabCodes), 5 + flateFixedDistCodeTabCodes, 5 }; FlateStream::FlateStream(Stream *strA, int predictor, int columns, @@ -4494,10 +4494,10 @@ FlateStream::FlateStream(Stream *strA, int predictor, int columns, FlateStream::~FlateStream() { if (litCodeTab.codes != fixedLitCodeTab.codes) { -gfree(litCodeTab.codes); +gfree(const_cast(litCodeTab.codes)); } if (distCodeTab.codes != fixedDistCodeTab.codes) { -gfree(distCodeTab.codes); +gfree(const_cast(distCodeTab.codes)); } if (pred) { delete pred; @@ -4685,11 +4685,11 @@ bool FlateStream::startBlock() { // free the code tables from the previous block if (litCodeTab.codes != fixedLitCodeTab.codes) { -gfree(litCodeTab.codes); +gfree(const_cast(litCodeTab.codes)); } litCodeTab.codes = nullptr; if (distCodeTab.codes != fixedDistCodeTab.codes) { -gfree(distCodeTab.codes); +gfree(const_cast(distCodeTab.codes)); } distCodeTab.codes = nullptr; @@ -4791,7 +4791,7 @@ bool FlateStream::readDynamicCodes() { goto err; } } - compHuffmanCodes(codeLenCodeLengths, flateMaxCodeLenCodes, &codeLenCodeTab); + codeLenCodeTab.codes = compHuffmanCodes(codeLenCodeLengths, flateMaxCodeLenCodes, &codeLenCodeTab.maxLen); // build the literal and distance code tables len = 0; @@ -4840,44 +4840,44 @@ bool FlateStream::readDynamicCodes() { codeLengths[i++] = len = code; } } - compHuffmanCodes(codeLengths, numLitCodes, &litCodeTab); - compHuffmanCodes(codeLengths + numLitCodes, numDistCodes, &distCodeTab); + litCodeTab.codes = compHuffmanCodes(codeLengths, numLitCodes, &litCodeTab.maxLen); + distCodeTab.codes = compHuffmanCodes(codeLengths + numLitCodes, numDistCodes, &distCodeTab.maxLen); - gfree(codeLenCodeTab.codes); + gfree(const_cast(codeLenCodeTab.codes)); return true; err: error(errSyntaxError, getPos(), "Bad dynamic code table in flate stream"); - gfree(codeLenCodeTab.codes); + gfree(const_cast(codeLenCodeTab.codes)); return false; } // Convert an array of lengths, in value order, into a // Huffman code lookup table. -void FlateStream::compHuffmanCodes(int *lengths, int n, FlateHuffmanTab *tab) { - int tabSize, len, code, code2, skip, val, i, t; +FlateCode *FlateStream::compHuffmanCodes(const int *lengths, int n, int *maxLen) { + int len, code, code2, skip, val, i, t; // find max code length - tab->maxLen = 0; + *maxLen = 0; for (val = 0; val < n; ++val) { -if (lengths[val] > tab->maxLen) { - tab->maxLen = lengths[val]; +if (lengths[val] > *maxLen) { + *maxLen = lengths[val]; } } // allocate the table - tabSize = 1 << tab->maxLen; - tab->codes = (FlateCode *)gmallocn(tabSize, sizeof(FlateCode)); + const int tabSize = 1 << *maxLen; + FlateCode *codes = (FlateCode *)gmallocn(tabSize, sizeof(FlateCode)); // clear the table for (i = 0; i < tabSize; ++i) { -tab->codes[i].len = 0; -tab->codes[i].val = 0; +codes[i].len = 0; +codes[i].val = 0; } // build the table for (len = 1, code = 0, skip = 2; - len <= tab->maxLen; + len <= *maxLen; ++len, code <<= 1, skip <<= 1) { for (val = 0; val < n; ++val) { if (lengths[val] == len) { @@ -4892,18 +4892,20 @@ void FlateStream::compHuffmanCodes(int *lengths, int n, FlateHuffmanTab *tab) { // fill in the table entries for (i = code2; i < tabSize; i += skip) { - tab->codes[i].len = (unsigned short)len; - tab->codes[i].val = (unsigned short)val; + codes[i].len = (unsigned short)len; + codes[i].val = (unsigned short)val; } ++code; } } } + + return codes; } int FlateStream::getHuffmanCodeWord(FlateHuffmanTab *tab) { - FlateCode *code; + const FlateCode *code; int c; while (codeSize < tab->maxLen) { diff --git a/poppler/Stream.h b/poppler/Stream.h index 58246f19..1b0ae69b 100644 --- a/poppler/Stream.h +++ b/poppler/Stream.h @@ -1065,7 +1065,7 @@ struct Flate
[poppler] poppler/Stream.cc
poppler/Stream.cc |3 +++ 1 file changed, 3 insertions(+) New commits: commit f4136a6353162db249f63ddb0f20611622ab61b4 Author: Albert Astals Cid Date: Wed Feb 27 19:43:22 2019 +0100 ImageStream::getLine: fix crash on broken files Fixes #728 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 33537b0e..a41435ab 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -496,6 +496,9 @@ unsigned char *ImageStream::getLine() { } int readChars = str->doGetChars(inputLineSize, inputLine); + if (unlikely(readChars == -1)) { + readChars = 0; + } for ( ; readChars < inputLineSize; readChars++) inputLine[readChars] = EOF; if (nBits == 1) { unsigned char *p = inputLine; ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) New commits: commit ff1ab1b0c9b265df1fd07380cd78ca0daa63d642 Author: Vincent Le Garrec Date: Sat Feb 2 04:25:52 2019 +0100 Undefined-shift in StreamPredictor::getNextLine oss-fuzz/10284 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 25ec3c68..6a6b46a2 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -35,6 +35,7 @@ // Copyright (C) 2017 Jose Aliste // Copyright (C) 2017 Kay Dohmann // Copyright (C) 2019 Christian Persch +// Copyright (C) 2019 LE GARREC Vincent // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -712,7 +713,7 @@ bool StreamPredictor::getNextLine() { j = k = pixBytes; for (i = 0; i < width; ++i) { for (kk = 0; kk < nComps; ++kk) { - if (inBits < nBits) { + while (inBits < nBits) { inBuf = (inBuf << 8) | (predLine[j++] & 0xff); inBits += 8; } ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc | 27 ++- 1 file changed, 26 insertions(+), 1 deletion(-) New commits: commit c3a2c11a966a8e260a44716cbb0e26fa437b8f8d Author: Albert Astals Cid Date: Sun Oct 21 11:29:44 2018 +0200 Stream::makeFilter: Fix memory leak fixes oss-fuzz/9614 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 4c5380e0..cc5e28dd 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -180,6 +180,31 @@ Stream *Stream::addFilters(Dict *dict, int recursion) { return str; } +class BaseStreamStream : public Stream +{ +public: + BaseStreamStream(Stream *strA) : str(strA) + { + } + + StreamKind getKind() override { return str->getBaseStream()->getKind(); } + void reset() override { str->getBaseStream()->reset(); } + int getChar() override { return str->getBaseStream()->getChar(); } + int lookChar() override { return str->getBaseStream()->lookChar(); } + bool isBinary(bool last = true) override { return str->getBaseStream()->isBinary(); } + int getUnfilteredChar () override { return str->getBaseStream()->getUnfilteredChar(); } + void unfilteredReset () override { str->getBaseStream()->unfilteredReset(); } + Goffset getPos() override { return str->getBaseStream()->getPos(); } + void setPos(Goffset pos, int dir) override { str->getBaseStream()->setPos(pos, dir); } + BaseStream *getBaseStream() override { return str->getBaseStream()->getBaseStream(); } + Stream *getUndecodedStream() override { return str->getBaseStream()->getUndecodedStream(); } + Dict *getDict() override { return str->getBaseStream()->getDict(); } + Object *getDictObject() override { return str->getBaseStream()->getDictObject(); } + +private: + std::unique_ptr str; +}; + Stream *Stream::makeFilter(const char *name, Stream *str, Object *params, int recursion, Dict *dict) { int pred;// parameters int colors; @@ -315,7 +340,7 @@ Stream *Stream::makeFilter(const char *name, Stream *str, Object *params, int re #endif } else if (!strcmp(name, "Crypt")) { if (str->getKind() == strCrypt) { - str = str->getBaseStream(); + str = new BaseStreamStream(str); } else { error(errSyntaxError, getPos(), "Can't revert non decrypt streams"); } ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit e4f4cbddd11ae6386985879187007fa5add43624 Author: Albert Astals Cid Date: Tue Jun 12 09:32:57 2018 +0200 StreamPredictor: Move pixBytes calculation after checks fixes oss-fuzz/8835 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 5e5eb335..21bd3b9b 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -572,7 +572,6 @@ StreamPredictor::StreamPredictor(Stream *strA, int predictorA, ok = gFalse; nVals = width * nComps; - pixBytes = (nComps * nBits + 7) >> 3; if (width <= 0 || nComps <= 0 || nBits <= 0 || nComps > gfxColorMaxComps || nBits > 16 || @@ -580,6 +579,7 @@ StreamPredictor::StreamPredictor(Stream *strA, int predictorA, nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes return; } + pixBytes = (nComps * nBits + 7) >> 3; rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; predLine = (Guchar *)gmalloc(rowBytes); memset(predLine, 0, rowBytes); ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
Re: [poppler] poppler/Stream.cc
El dissabte, 26 de maig de 2018, a les 11:17:31 CEST, Adam Reichold va escriure: > Hello, > > Am 26.05.2018 um 10:59 schrieb Albert Astals Cid: > > El dimecres, 23 de maig de 2018, a les 21:46:02 CEST, Adam Reichold va escriure: > >> Hello again, > >> > >> attached the patch. It declares inputBuf as unsigned so all bit shifts > >> happen on unsigned values. ctest at least seems to be happy. > > > > Interestingly the automagic fuzzer service says that the issue with > > LZWStream::getCode doing left shift on negative values has been fixed by > > a commit in this range > > https://cgit.freedesktop.org/poppler/poppler/diff/?id2=76820f5ab932a9ed18 > > 913bc7d1a452ddf060c133&id=f966b9096d046aaee4891de11f74207218cc929b > Are you sure this is exhaustive? It's totally not exhaustive :D > I suspect the fuzzer randomly explores > the input space, probably coverage guided? So couldn't it be that it > just did not hit the issue again yet, since from looking at the code, > inputBuf could very well become negative when considered as a signed > integer depending on the specific input bytes. You're right, actually i have "real" pdf files that used to depend on the gcc implementation of the undefined behaviour (that's how i realized that my initial change was causing a regression), so I've commited your change now :) Cheers, Albert > > Best regards, > Adam > > > So i guess for not better not to touch this code. > > > > Thanks for the patch though :) > > > > Cheers, > > > > Albert > >> > >> It does build without the casts as well but I am not completely sure > >> about the language legalese behind this and hence left them in and also > >> for explicitness. > >> > >> Proper fix would probably be to converted all of the LZW decoding to use > >> unsigned values. > >> > >> Best regards, > >> Adam > >> > >> Am 23.05.2018 um 21:24 schrieb Albert Astals Cid: > >>> El dimecres, 23 de maig de 2018, a les 8:57:27 CEST, Adam Reichold va > >>> > >>> escriure: > Hello, > > maybe the simplest solution would to turn inputBuf into an unsigned int > and convert to signed int after extracting the bits out of it? > >>> > >>> Yeah that sounds like a plan, could you try to produce a patch so i can > >>> run it through regtest? > >>> > >>> Cheers, > >>> > >>> Albert > > Best regards, > Adam > > Am 23.05.2018 um 00:24 schrieb Albert Astals Cid: > > poppler/Stream.cc |4 +--- > > 1 file changed, 1 insertion(+), 3 deletions(-) > > > > New commits: > > commit 58e056c4b15f262b7715f8061d6885eb80044d0d > > Author: Albert Astals Cid > > Date: Wed May 23 00:23:19 2018 +0200 > > > > Revert 31c3832b996acbf04ea833e304d7d21ac4533a57 > > > > So shifting left negative values is undefined behaviour according > > to > > the > > spec but if we don't do it we break, so we seem to be depending on > > this > > undefined behaviour, will try to figure out a better fix > > > > diff --git a/poppler/Stream.cc b/poppler/Stream.cc > > index b6bfd838..4f075c12 100644 > > --- a/poppler/Stream.cc > > +++ b/poppler/Stream.cc > > @@ -1445,9 +1445,7 @@ int LZWStream::getCode() { > > > >while (inputBits < nextBits) { > > > > if ((c = str->getChar()) == EOF) > > > >return EOF; > > > > -if (likely(inputBuf >= 0)) { > > -inputBuf = (inputBuf << 8) | (c & 0xff); > > -} > > +inputBuf = (inputBuf << 8) | (c & 0xff); > > > > inputBits += 8; > > > >} > >code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - > >1); > > > > ___ > > poppler mailing list > > poppler@lists.freedesktop.org > > https://lists.freedesktop.org/mailman/listinfo/poppler ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc poppler/Stream.h
poppler/Stream.cc |6 +++--- poppler/Stream.h |4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) New commits: commit 1bc71245fa88dc23dc355f926f50f04896739fff Author: Adam Reichold Date: Sat May 26 11:54:41 2018 +0200 LZWStream: make inputBuf unsigned since shifting negative numbers is undefined according to spec diff --git a/poppler/Stream.cc b/poppler/Stream.cc index f701789f..5e5eb335 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -28,7 +28,7 @@ // Copyright (C) 2012 Fabio D'Urso // Copyright (C) 2012 Even Rouault // Copyright (C) 2013, 2017, 2018 Adrian Johnson -// Copyright (C) 2013 Adam Reichold +// Copyright (C) 2013, 2018 Adam Reichold // Copyright (C) 2013 Pino Toscano // Copyright (C) 2015 Suzuki Toshiya // Copyright (C) 2015 Jason Crain @@ -1445,10 +1445,10 @@ int LZWStream::getCode() { while (inputBits < nextBits) { if ((c = str->getChar()) == EOF) return EOF; -inputBuf = (inputBuf << 8) | (c & 0xff); +inputBuf = (inputBuf << 8) | static_cast(c & 0xff); inputBits += 8; } - code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1); + code = static_cast((inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1)); inputBits -= nextBits; return code; } diff --git a/poppler/Stream.h b/poppler/Stream.h index a3faccd9..841c87a8 100644 --- a/poppler/Stream.h +++ b/poppler/Stream.h @@ -24,7 +24,7 @@ // Copyright (C) 2012, 2013 Fabio D'Urso // Copyright (C) 2013, 2017 Adrian Johnson // Copyright (C) 2013 Peter Breitenlohner -// Copyright (C) 2013 Adam Reichold +// Copyright (C) 2013, 2018 Adam Reichold // Copyright (C) 2013 Pino Toscano // // To see a description of the changes please see the Changelog file that @@ -823,7 +823,7 @@ private: StreamPredictor *pred; // predictor int early; // early parameter GBool eof; // true if at eof - int inputBuf;// input buffer + unsigned int inputBuf; // input buffer int inputBits; // number of bits in input buffer struct { // decoding table int length; ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
Re: [poppler] poppler/Stream.cc
Hello, Am 26.05.2018 um 10:59 schrieb Albert Astals Cid: > El dimecres, 23 de maig de 2018, a les 21:46:02 CEST, Adam Reichold va > escriure: >> Hello again, >> >> attached the patch. It declares inputBuf as unsigned so all bit shifts >> happen on unsigned values. ctest at least seems to be happy. > > Interestingly the automagic fuzzer service says that the issue with > LZWStream::getCode doing left shift on negative values has been fixed by a > commit in this range > https://cgit.freedesktop.org/poppler/poppler/diff/?id2=76820f5ab932a9ed18913bc7d1a452ddf060c133&id=f966b9096d046aaee4891de11f74207218cc929b Are you sure this is exhaustive? I suspect the fuzzer randomly explores the input space, probably coverage guided? So couldn't it be that it just did not hit the issue again yet, since from looking at the code, inputBuf could very well become negative when considered as a signed integer depending on the specific input bytes. Best regards, Adam > So i guess for not better not to touch this code. > > Thanks for the patch though :) > > Cheers, > Albert > >> >> It does build without the casts as well but I am not completely sure >> about the language legalese behind this and hence left them in and also >> for explicitness. >> >> Proper fix would probably be to converted all of the LZW decoding to use >> unsigned values. >> >> Best regards, >> Adam >> >> Am 23.05.2018 um 21:24 schrieb Albert Astals Cid: >>> El dimecres, 23 de maig de 2018, a les 8:57:27 CEST, Adam Reichold va >>> >>> escriure: Hello, maybe the simplest solution would to turn inputBuf into an unsigned int and convert to signed int after extracting the bits out of it? >>> >>> Yeah that sounds like a plan, could you try to produce a patch so i can >>> run it through regtest? >>> >>> Cheers, >>> >>> Albert Best regards, Adam Am 23.05.2018 um 00:24 schrieb Albert Astals Cid: > poppler/Stream.cc |4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > New commits: > commit 58e056c4b15f262b7715f8061d6885eb80044d0d > Author: Albert Astals Cid > Date: Wed May 23 00:23:19 2018 +0200 > > Revert 31c3832b996acbf04ea833e304d7d21ac4533a57 > > So shifting left negative values is undefined behaviour according to > the > spec but if we don't do it we break, so we seem to be depending on > this > undefined behaviour, will try to figure out a better fix > > diff --git a/poppler/Stream.cc b/poppler/Stream.cc > index b6bfd838..4f075c12 100644 > --- a/poppler/Stream.cc > +++ b/poppler/Stream.cc > @@ -1445,9 +1445,7 @@ int LZWStream::getCode() { > >while (inputBits < nextBits) { > > if ((c = str->getChar()) == EOF) > >return EOF; > > -if (likely(inputBuf >= 0)) { > -inputBuf = (inputBuf << 8) | (c & 0xff); > -} > +inputBuf = (inputBuf << 8) | (c & 0xff); > > inputBits += 8; > >} >code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1); > > ___ > poppler mailing list > poppler@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/poppler > > > > > signature.asc Description: OpenPGP digital signature ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
Re: [poppler] poppler/Stream.cc
El dimecres, 23 de maig de 2018, a les 21:46:02 CEST, Adam Reichold va escriure: > Hello again, > > attached the patch. It declares inputBuf as unsigned so all bit shifts > happen on unsigned values. ctest at least seems to be happy. Interestingly the automagic fuzzer service says that the issue with LZWStream::getCode doing left shift on negative values has been fixed by a commit in this range https://cgit.freedesktop.org/poppler/poppler/diff/?id2=76820f5ab932a9ed18913bc7d1a452ddf060c133&id=f966b9096d046aaee4891de11f74207218cc929b So i guess for not better not to touch this code. Thanks for the patch though :) Cheers, Albert > > It does build without the casts as well but I am not completely sure > about the language legalese behind this and hence left them in and also > for explicitness. > > Proper fix would probably be to converted all of the LZW decoding to use > unsigned values. > > Best regards, > Adam > > Am 23.05.2018 um 21:24 schrieb Albert Astals Cid: > > El dimecres, 23 de maig de 2018, a les 8:57:27 CEST, Adam Reichold va > > > > escriure: > >> Hello, > >> > >> maybe the simplest solution would to turn inputBuf into an unsigned int > >> and convert to signed int after extracting the bits out of it? > > > > Yeah that sounds like a plan, could you try to produce a patch so i can > > run it through regtest? > > > > Cheers, > > > > Albert > >> > >> Best regards, > >> Adam > >> > >> Am 23.05.2018 um 00:24 schrieb Albert Astals Cid: > >>> poppler/Stream.cc |4 +--- > >>> 1 file changed, 1 insertion(+), 3 deletions(-) > >>> > >>> New commits: > >>> commit 58e056c4b15f262b7715f8061d6885eb80044d0d > >>> Author: Albert Astals Cid > >>> Date: Wed May 23 00:23:19 2018 +0200 > >>> > >>> Revert 31c3832b996acbf04ea833e304d7d21ac4533a57 > >>> > >>> So shifting left negative values is undefined behaviour according to > >>> the > >>> spec but if we don't do it we break, so we seem to be depending on > >>> this > >>> undefined behaviour, will try to figure out a better fix > >>> > >>> diff --git a/poppler/Stream.cc b/poppler/Stream.cc > >>> index b6bfd838..4f075c12 100644 > >>> --- a/poppler/Stream.cc > >>> +++ b/poppler/Stream.cc > >>> @@ -1445,9 +1445,7 @@ int LZWStream::getCode() { > >>> > >>>while (inputBits < nextBits) { > >>> > >>> if ((c = str->getChar()) == EOF) > >>> > >>>return EOF; > >>> > >>> -if (likely(inputBuf >= 0)) { > >>> -inputBuf = (inputBuf << 8) | (c & 0xff); > >>> -} > >>> +inputBuf = (inputBuf << 8) | (c & 0xff); > >>> > >>> inputBits += 8; > >>> > >>>} > >>>code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1); > >>> > >>> ___ > >>> poppler mailing list > >>> poppler@lists.freedesktop.org > >>> https://lists.freedesktop.org/mailman/listinfo/poppler ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit db73587c566f8e50f03b24628e8948a558ee7039 Author: Albert Astals Cid Date: Thu May 24 11:56:39 2018 +0200 StreamPredictor: move rowBytes calculation after overflow check fixes oss-fuzz/8498 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 4f075c12..f701789f 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -573,7 +573,6 @@ StreamPredictor::StreamPredictor(Stream *strA, int predictorA, nVals = width * nComps; pixBytes = (nComps * nBits + 7) >> 3; - rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; if (width <= 0 || nComps <= 0 || nBits <= 0 || nComps > gfxColorMaxComps || nBits > 16 || @@ -581,6 +580,7 @@ StreamPredictor::StreamPredictor(Stream *strA, int predictorA, nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes return; } + rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; predLine = (Guchar *)gmalloc(rowBytes); memset(predLine, 0, rowBytes); predIdx = rowBytes; ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
Re: [poppler] poppler/Stream.cc
Hello again, attached the patch. It declares inputBuf as unsigned so all bit shifts happen on unsigned values. ctest at least seems to be happy. It does build without the casts as well but I am not completely sure about the language legalese behind this and hence left them in and also for explicitness. Proper fix would probably be to converted all of the LZW decoding to use unsigned values. Best regards, Adam Am 23.05.2018 um 21:24 schrieb Albert Astals Cid: > El dimecres, 23 de maig de 2018, a les 8:57:27 CEST, Adam Reichold va > escriure: >> Hello, >> >> maybe the simplest solution would to turn inputBuf into an unsigned int >> and convert to signed int after extracting the bits out of it? > > Yeah that sounds like a plan, could you try to produce a patch so i can run > it > through regtest? > > Cheers, > Albert > >> >> Best regards, >> Adam >> >> Am 23.05.2018 um 00:24 schrieb Albert Astals Cid: >>> poppler/Stream.cc |4 +--- >>> 1 file changed, 1 insertion(+), 3 deletions(-) >>> >>> New commits: >>> commit 58e056c4b15f262b7715f8061d6885eb80044d0d >>> Author: Albert Astals Cid >>> Date: Wed May 23 00:23:19 2018 +0200 >>> >>> Revert 31c3832b996acbf04ea833e304d7d21ac4533a57 >>> >>> So shifting left negative values is undefined behaviour according to >>> the >>> spec but if we don't do it we break, so we seem to be depending on >>> this >>> undefined behaviour, will try to figure out a better fix >>> >>> diff --git a/poppler/Stream.cc b/poppler/Stream.cc >>> index b6bfd838..4f075c12 100644 >>> --- a/poppler/Stream.cc >>> +++ b/poppler/Stream.cc >>> @@ -1445,9 +1445,7 @@ int LZWStream::getCode() { >>> >>>while (inputBits < nextBits) { >>> >>> if ((c = str->getChar()) == EOF) >>> >>>return EOF; >>> >>> -if (likely(inputBuf >= 0)) { >>> -inputBuf = (inputBuf << 8) | (c & 0xff); >>> -} >>> +inputBuf = (inputBuf << 8) | (c & 0xff); >>> >>> inputBits += 8; >>> >>>} >>>code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1); >>> >>> ___ >>> poppler mailing list >>> poppler@lists.freedesktop.org >>> https://lists.freedesktop.org/mailman/listinfo/poppler > > > > > diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 4f075c12..63c803dd 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -1445,10 +1445,10 @@ int LZWStream::getCode() { while (inputBits < nextBits) { if ((c = str->getChar()) == EOF) return EOF; -inputBuf = (inputBuf << 8) | (c & 0xff); +inputBuf = (inputBuf << 8) | static_cast(c & 0xff); inputBits += 8; } - code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1); + code = static_cast((inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1)); inputBits -= nextBits; return code; } diff --git a/poppler/Stream.h b/poppler/Stream.h index a3faccd9..dff7978d 100644 --- a/poppler/Stream.h +++ b/poppler/Stream.h @@ -823,7 +823,7 @@ private: StreamPredictor *pred; // predictor int early; // early parameter GBool eof; // true if at eof - int inputBuf; // input buffer + unsigned inputBuf; // input buffer int inputBits; // number of bits in input buffer struct { // decoding table int length; signature.asc Description: OpenPGP digital signature ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
Re: [poppler] poppler/Stream.cc
El dimecres, 23 de maig de 2018, a les 8:57:27 CEST, Adam Reichold va escriure: > Hello, > > maybe the simplest solution would to turn inputBuf into an unsigned int > and convert to signed int after extracting the bits out of it? Yeah that sounds like a plan, could you try to produce a patch so i can run it through regtest? Cheers, Albert > > Best regards, > Adam > > Am 23.05.2018 um 00:24 schrieb Albert Astals Cid: > > poppler/Stream.cc |4 +--- > > 1 file changed, 1 insertion(+), 3 deletions(-) > > > > New commits: > > commit 58e056c4b15f262b7715f8061d6885eb80044d0d > > Author: Albert Astals Cid > > Date: Wed May 23 00:23:19 2018 +0200 > > > > Revert 31c3832b996acbf04ea833e304d7d21ac4533a57 > > > > So shifting left negative values is undefined behaviour according to > > the > > spec but if we don't do it we break, so we seem to be depending on > > this > > undefined behaviour, will try to figure out a better fix > > > > diff --git a/poppler/Stream.cc b/poppler/Stream.cc > > index b6bfd838..4f075c12 100644 > > --- a/poppler/Stream.cc > > +++ b/poppler/Stream.cc > > @@ -1445,9 +1445,7 @@ int LZWStream::getCode() { > > > >while (inputBits < nextBits) { > > > > if ((c = str->getChar()) == EOF) > > > >return EOF; > > > > -if (likely(inputBuf >= 0)) { > > -inputBuf = (inputBuf << 8) | (c & 0xff); > > -} > > +inputBuf = (inputBuf << 8) | (c & 0xff); > > > > inputBits += 8; > > > >} > >code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1); > > > > ___ > > poppler mailing list > > poppler@lists.freedesktop.org > > https://lists.freedesktop.org/mailman/listinfo/poppler ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
Re: [poppler] poppler/Stream.cc
Hello, maybe the simplest solution would to turn inputBuf into an unsigned int and convert to signed int after extracting the bits out of it? Best regards, Adam Am 23.05.2018 um 00:24 schrieb Albert Astals Cid: > poppler/Stream.cc |4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > New commits: > commit 58e056c4b15f262b7715f8061d6885eb80044d0d > Author: Albert Astals Cid > Date: Wed May 23 00:23:19 2018 +0200 > > Revert 31c3832b996acbf04ea833e304d7d21ac4533a57 > > So shifting left negative values is undefined behaviour according to the > spec but if we don't do it we break, so we seem to be depending on this > undefined behaviour, will try to figure out a better fix > > diff --git a/poppler/Stream.cc b/poppler/Stream.cc > index b6bfd838..4f075c12 100644 > --- a/poppler/Stream.cc > +++ b/poppler/Stream.cc > @@ -1445,9 +1445,7 @@ int LZWStream::getCode() { >while (inputBits < nextBits) { > if ((c = str->getChar()) == EOF) >return EOF; > -if (likely(inputBuf >= 0)) { > -inputBuf = (inputBuf << 8) | (c & 0xff); > -} > +inputBuf = (inputBuf << 8) | (c & 0xff); > inputBits += 8; >} >code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1); > ___ > poppler mailing list > poppler@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/poppler > signature.asc Description: OpenPGP digital signature ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) New commits: commit 58e056c4b15f262b7715f8061d6885eb80044d0d Author: Albert Astals Cid Date: Wed May 23 00:23:19 2018 +0200 Revert 31c3832b996acbf04ea833e304d7d21ac4533a57 So shifting left negative values is undefined behaviour according to the spec but if we don't do it we break, so we seem to be depending on this undefined behaviour, will try to figure out a better fix diff --git a/poppler/Stream.cc b/poppler/Stream.cc index b6bfd838..4f075c12 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -1445,9 +1445,7 @@ int LZWStream::getCode() { while (inputBits < nextBits) { if ((c = str->getChar()) == EOF) return EOF; -if (likely(inputBuf >= 0)) { -inputBuf = (inputBuf << 8) | (c & 0xff); -} +inputBuf = (inputBuf << 8) | (c & 0xff); inputBits += 8; } code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1); ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) New commits: commit 31c3832b996acbf04ea833e304d7d21ac4533a57 Author: Albert Astals Cid Date: Tue May 22 20:25:18 2018 +0200 LZWStream::getCode: Don't left shift negative values it's undefined behaviour diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 4f075c12..b6bfd838 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -1445,7 +1445,9 @@ int LZWStream::getCode() { while (inputBits < nextBits) { if ((c = str->getChar()) == EOF) return EOF; -inputBuf = (inputBuf << 8) | (c & 0xff); +if (likely(inputBuf >= 0)) { +inputBuf = (inputBuf << 8) | (c & 0xff); +} inputBits += 8; } code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1); ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |1 + 1 file changed, 1 insertion(+) New commits: commit 0c0c368fed70c1db64ce04b135fd5b060a1f0653 Author: Albert Astals Cid Date: Tue May 22 18:26:29 2018 +0200 LZWStream::clearTable: init newChar to 0 it should not be needed because on well formed streams it will be properly initialized in processNextCode but this solves an uninitialized memory use on malformed documents fixes oss-fuzz/8457 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 15a6a9f9..4f075c12 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -1435,6 +1435,7 @@ void LZWStream::clearTable() { nextBits = 9; seqIndex = seqLength = 0; first = gTrue; + newChar = 0; } int LZWStream::getCode() { ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc | 16 +++- 1 file changed, 7 insertions(+), 9 deletions(-) New commits: commit d72f0383b959d8495a452d2d32377e588b15ad65 Author: Kay Dohmann Date: Mon Oct 23 23:31:13 2017 +0200 Tweak LZWStream::processNextCode Fixes file attached at bug 103174 and doesn't seem to cause any regression in the files we have around Bug #103174 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index b541356d..da1d9267 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -33,6 +33,7 @@ // Copyright (C) 2015 Suzuki Toshiya // Copyright (C) 2015 Jason Crain // Copyright (C) 2017 Jose Aliste +// Copyright (C) 2017 Kay Dohmann // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -1461,11 +1462,6 @@ GBool LZWStream::processNextCode() { clearTable(); goto start; } - if (nextCode >= 4097) { -error(errSyntaxError, getPos(), - "Bad LZW stream - expected clear-table code"); -clearTable(); - } // process the next code nextLength = seqLength + 1; @@ -1491,10 +1487,12 @@ GBool LZWStream::processNextCode() { if (first) { first = gFalse; } else { -table[nextCode].length = nextLength; -table[nextCode].head = prevCode; -table[nextCode].tail = newChar; -++nextCode; +if (nextCode < 4097) { + table[nextCode].length = nextLength; + table[nextCode].head = prevCode; + table[nextCode].tail = newChar; + ++nextCode; +} if (nextCode + early == 512) nextBits = 10; else if (nextCode + early == 1024) ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |7 +++ 1 file changed, 7 insertions(+) New commits: commit 733c8faf3034f94b632c65dd091911bc642dcae4 Author: Jose Aliste Date: Tue May 16 18:44:49 2017 -0400 Check numComps is between reasonable bounds Before this patch, some PDF might crash because of an overflow if numComps does not lie between 0 and 4. This is a security fix for CVE-2017-0319. diff --git a/poppler/Stream.cc b/poppler/Stream.cc index d93c560e..e3d5cf6a 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -32,6 +32,7 @@ // Copyright (C) 2013 Pino Toscano // Copyright (C) 2015 Suzuki Toshiya // Copyright (C) 2015 Jason Crain +// Copyright (C) 2017 Jose Aliste // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -3585,6 +3586,12 @@ GBool DCTStream::readProgressiveSOF() { height = read16(); width = read16(); numComps = str->getChar(); + + if (numComps <= 0 || numComps > 4) { +error(errSyntaxError, getPos(), "Bad number of components in DCT stream"); +numComps = 0; +return gFalse; + } if (prec != 8) { error(errSyntaxError, getPos(), "Bad DCT precision {0:d}", prec); return gFalse; ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit b2bbe5d5bc241c82575bf9987d295d91998ddebc Author: Albert Astals Cid Date: Tue Jun 20 23:58:26 2017 +0200 Fix crash in malformed document Bug #101526 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 4ac91078..d93c560e 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -468,7 +468,7 @@ ImageStream::ImageStream(Stream *strA, int widthA, int nCompsA, int nBitsA) { nVals = width * nComps; inputLineSize = (nVals * nBits + 7) >> 3; - if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || width > INT_MAX / nComps) { + if (nComps <= 0 || nBits <= 0 || nVals > INT_MAX / nBits - 7 || width > INT_MAX / nComps) { inputLineSize = -1; } inputLine = (Guchar *)gmallocn_checkoverflow(inputLineSize, sizeof(char)); ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit 5f51939eea5b98dcef115d18baec3179701d0292 Author: Albert Astals Cid Date: Tue May 24 23:34:48 2016 +0200 Fix stack overflow Bug #96027 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index f1c68e9..4a9babe 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -183,7 +183,7 @@ Stream *Stream::addFilters(Object *dict, int recursion) { dict->dictLookup("DecodeParms", ¶ms, recursion); if (params.isNull()) { params.free(); -dict->dictLookup("DP", ¶ms); +dict->dictLookup("DP", ¶ms, recursion); } if (obj.isName()) { str = makeFilter(obj.getName(), str, ¶ms, recursion, dict); ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) New commits: commit 9ce8dd7fbd132b5f423dc3bf10fa87b973390d0b Author: Albert Astals Cid Date: Mon May 23 23:59:40 2016 +0200 Fix stack overflow on broken file Bug #95567 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 1e6318e..f1c68e9 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -14,7 +14,7 @@ // under GPL version 2 or later // // Copyright (C) 2005 Jeff Muizelaar -// Copyright (C) 2006-2010, 2012-2014 Albert Astals Cid +// Copyright (C) 2006-2010, 2012-2014, 2016 Albert Astals Cid // Copyright (C) 2007 Krzysztof Kowalczyk // Copyright (C) 2008 Julien Rebetez // Copyright (C) 2009 Carlos Garcia Campos @@ -178,7 +178,7 @@ Stream *Stream::addFilters(Object *dict, int recursion) { dict->dictLookup("Filter", &obj, recursion); if (obj.isNull()) { obj.free(); -dict->dictLookup("F", &obj); +dict->dictLookup("F", &obj, recursion); } dict->dictLookup("DecodeParms", ¶ms, recursion); if (params.isNull()) { ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc | 10 +++--- 1 file changed, 3 insertions(+), 7 deletions(-) New commits: commit 1e1a2d0600153c98d44f65e83a0555ab5288450b Author: Jason Crain Date: Sun Sep 6 22:33:02 2015 +0200 Fix JBIG2Decode infinite loop and stack overflow Creating a JBIG2Decode filter can create a stack overflow or infinite loop. Fix stack overflow by adding 'recursion' argument to fetch call. Fix infinite loop by removing the reference lookup loop. Chains of references aren't allowed by the spec anyway. Bug #91186 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index d2dd761..9617678 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -31,6 +31,7 @@ // Copyright (C) 2013 Adam Reichold // Copyright (C) 2013 Pino Toscano // Copyright (C) 2015 Suzuki Toshiya +// Copyright (C) 2015 Jason Crain // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -340,13 +341,8 @@ Stream *Stream::makeFilter(char *name, Stream *str, Object *params, int recursio } else if (!strcmp(name, "JBIG2Decode")) { if (params->isDict()) { XRef *xref = params->getDict()->getXRef(); - params->dictLookupNF("JBIG2Globals", &globals); - while (globals.isRef()) { -obj.free(); -globals.copy(&obj); -globals.free(); -obj.fetch(xref, &globals); - } + params->dictLookupNF("JBIG2Globals", &obj); + obj.fetch(xref, &globals, recursion); } str = new JBIG2Stream(str, &globals, &obj); globals.free(); ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit 714ee1e61d853394818dca7155b1b882408ffc6a Author: Albert Astals Cid Date: Sun Jun 16 19:00:01 2013 +0200 Pass down the recursion param Fixes heap smashing in 168.pdf.SIGSEGV.598.462 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index d6a69b0..41cb8c1 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -186,7 +186,7 @@ Stream *Stream::addFilters(Object *dict, int recursion) { str = makeFilter(obj.getName(), str, ¶ms, recursion, dict); } else if (obj.isArray()) { for (i = 0; i < obj.arrayGetLength(); ++i) { - obj.arrayGet(i, &obj2); + obj.arrayGet(i, &obj2, recursion); if (params.isArray()) params.arrayGet(i, ¶ms2, recursion); else ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc poppler/Stream.h
poppler/Stream.cc |2 +- poppler/Stream.h |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) New commits: commit f3aa5236361dca3db64f110520ebe721ba1c9464 Author: Pino Toscano Date: Sun Jan 27 18:50:10 2013 +0100 use Goffset also for length in MemStream ctor diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 3deab44..3f89ddc 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -1015,7 +1015,7 @@ void CachedFileStream::moveStart(Goffset delta) // MemStream // -MemStream::MemStream(char *bufA, Goffset startA, Guint lengthA, Object *dictA): +MemStream::MemStream(char *bufA, Goffset startA, Goffset lengthA, Object *dictA): BaseStream(dictA, lengthA) { buf = bufA; start = startA; diff --git a/poppler/Stream.h b/poppler/Stream.h index f6e85ac..c871ba7 100644 --- a/poppler/Stream.h +++ b/poppler/Stream.h @@ -565,7 +565,7 @@ private: class MemStream: public BaseStream { public: - MemStream(char *bufA, Goffset startA, Guint lengthA, Object *dictA); + MemStream(char *bufA, Goffset startA, Goffset lengthA, Object *dictA); virtual ~MemStream(); virtual BaseStream *copy(); virtual Stream *makeSubStream(Goffset start, GBool limited, ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |7 --- 1 file changed, 4 insertions(+), 3 deletions(-) New commits: commit b1026b5978c385328f2a15a2185c599a563edf91 Author: Albert Astals Cid Date: Wed Jan 9 22:17:09 2013 +0100 Initialize refLine totally Fixes uninitialized memory read in 1004.pdf.asan.7.3 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 414ff3f..d118ddd 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -14,7 +14,7 @@ // under GPL version 2 or later // // Copyright (C) 2005 Jeff Muizelaar -// Copyright (C) 2006-2010, 2012 Albert Astals Cid +// Copyright (C) 2006-2010, 2012, 2013 Albert Astals Cid // Copyright (C) 2007 Krzysztof Kowalczyk // Copyright (C) 2008 Julien Rebetez // Copyright (C) 2009 Carlos Garcia Campos @@ -1712,8 +1712,9 @@ int CCITTFaxStream::lookChar() { for (i = 0; i < columns && codingLine[i] < columns; ++i) { refLine[i] = codingLine[i]; } - refLine[i++] = columns; - refLine[i] = columns; + for (; i < columns + 2; ++i) { + refLine[i] = columns; + } codingLine[0] = 0; a0i = 0; b1i = 0; ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) New commits: commit 2017dbebd9afd4f172242ff8462fce739d911e64 Author: Even Rouault Date: Fri Dec 28 00:30:13 2012 +0100 Do not crash on 0 or negative nBits values diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 842f0c6..414ff3f 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -26,6 +26,7 @@ // Copyright (C) 2012 Thomas Freitag // Copyright (C) 2012 Oliver Sander // Copyright (C) 2012 Fabio D'Urso +// Copyright (C) 2012 Even Rouault // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -419,11 +420,11 @@ ImageStream::ImageStream(Stream *strA, int widthA, int nCompsA, int nBitsA) { nVals = width * nComps; inputLineSize = (nVals * nBits + 7) >> 3; - if (nVals > INT_MAX / nBits - 7) { + if (nBits <= 0 || nVals > INT_MAX / nBits - 7) { // force a call to gmallocn(-1,...), which will throw an exception inputLineSize = -1; } - inputLine = (Guchar *)gmallocn(inputLineSize, sizeof(char)); + inputLine = (Guchar *)gmallocn_checkoverflow(inputLineSize, sizeof(char)); if (nBits == 8) { imgLine = (Guchar *)inputLine; } else { ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |3 +++ 1 file changed, 3 insertions(+) New commits: commit 50c0b294d08114920a5db711876e20d991f474a6 Author: Albert Astals Cid Date: Sun Apr 29 22:33:09 2012 +0200 Make sure the index to dcHuffTables and acHuffTables is in bounds Found in a fuzzed pdf sent by Mateusz "j00ru" Jurczyk and Gynvael Coldwind diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 423bf1c..4ce6c00 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -2581,6 +2581,9 @@ GBool DCTStream::readMCURow() { vSub = vert / 8; for (y2 = 0; y2 < mcuHeight; y2 += vert) { for (x2 = 0; x2 < mcuWidth; x2 += horiz) { + if (unlikely(scanInfo.dcHuffTable[cc] >= 4) || unlikely(scanInfo.acHuffTable[cc] >= 4)) { + return gFalse; + } if (!readDataUnit(&dcHuffTables[scanInfo.dcHuffTable[cc]], &acHuffTables[scanInfo.acHuffTable[cc]], &compInfo[cc].prevDC, ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) New commits: commit 675ef2bda3c4e06b39e2ba09b3b19d99cfb001b6 Author: Oliver Sander Date: Thu Feb 23 23:22:50 2012 +0100 Compile diff --git a/poppler/Stream.cc b/poppler/Stream.cc index d5f4e0c..04aac31 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -24,6 +24,7 @@ // Copyright (C) 2010 Tomas Hoger // Copyright (C) 2011 William Bader // Copyright (C) 2012 Thomas Freitag +// Copyright (C) 2012 Oliver Sander // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -2343,7 +2344,7 @@ DCTStream::~DCTStream() { void DCTStream::dctReset(GBool unfiltered) { if (unfiltered) -str->unfilteredReset() +str->unfilteredReset(); else str->reset(); ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc poppler/Stream.h
poppler/Stream.cc | 26 -- poppler/Stream.h |3 +++ 2 files changed, 23 insertions(+), 6 deletions(-) New commits: commit 9b72ee4e4c8658b2f7cd542d601a5c3be621d3fc Author: Thomas Freitag Date: Sat Feb 18 17:34:12 2012 +0100 Make some of the unfilteredResets be really unfiltered diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 5ebd5af..d5f4e0c 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -23,6 +23,7 @@ // Copyright (C) 2010 Hib Eris // Copyright (C) 2010 Tomas Hoger // Copyright (C) 2011 William Bader +// Copyright (C) 2012 Thomas Freitag // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -1599,8 +1600,11 @@ CCITTFaxStream::~CCITTFaxStream() { gfree(codingLine); } -void CCITTFaxStream::unfilteredReset () { - str->reset(); +void CCITTFaxStream::ccittReset(GBool unfiltered) { + if (unfiltered) +str->unfilteredReset(); + else +str->reset(); row = 0; nextLine2D = encoding < 0; @@ -1610,10 +1614,14 @@ void CCITTFaxStream::unfilteredReset () { buf = EOF; } +void CCITTFaxStream::unfilteredReset() { + ccittReset(gTrue); +} + void CCITTFaxStream::reset() { int code1; - unfilteredReset(); + ccittReset(gFalse); if (codingLine != NULL && refLine != NULL) { eof = gFalse; @@ -2333,8 +2341,11 @@ DCTStream::~DCTStream() { delete str; } -void DCTStream::unfilteredReset() { - str->reset(); +void DCTStream::dctReset(GBool unfiltered) { + if (unfiltered) +str->unfilteredReset() + else +str->reset(); progressive = interleaved = gFalse; width = height = 0; @@ -2347,11 +2358,14 @@ void DCTStream::unfilteredReset() { restartInterval = 0; } +void DCTStream::unfilteredReset() { + dctReset(gTrue); +} void DCTStream::reset() { int i, j; - unfilteredReset(); + dctReset(gFalse); if (!readHeader()) { y = height; diff --git a/poppler/Stream.h b/poppler/Stream.h index 3276940..33165aa 100644 --- a/poppler/Stream.h +++ b/poppler/Stream.h @@ -20,6 +20,7 @@ // Copyright (C) 2009 Stefan Thomas // Copyright (C) 2010 Hib Eris // Copyright (C) 2011 William Bader +// Copyright (C) 2012 Thomas Freitag // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -785,6 +786,7 @@ public: private: + void ccittReset(GBool unfiltered); int encoding;// 'K' parameter GBool endOfLine; // 'EndOfLine' parameter GBool byteAlign; // 'EncodedByteAlign' parameter @@ -861,6 +863,7 @@ public: private: + void dctReset(GBool unfiltered); GBool progressive; // set if in progressive mode GBool interleaved; // set if in interleaved mode int width, height; // image size ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc poppler/Stream.h
poppler/Stream.cc |1 + poppler/Stream.h |1 + 2 files changed, 2 insertions(+) New commits: commit 00076bc308ae320244c4fe351c1c2bef2da8 Author: Albert Astals Cid Date: Fri Jun 24 22:51:55 2011 +0100 Forgot William's (C) here diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 7b46c01..ee53502 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -22,6 +22,7 @@ // Copyright (C) 2009 Stefan Thomas // Copyright (C) 2010 Hib Eris // Copyright (C) 2010 Tomas Hoger +// Copyright (C) 2011 William Bader // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git diff --git a/poppler/Stream.h b/poppler/Stream.h index ee03f4e..fce6590 100644 --- a/poppler/Stream.h +++ b/poppler/Stream.h @@ -19,6 +19,7 @@ // Copyright (C) 2009 Carlos Garcia Campos // Copyright (C) 2009 Stefan Thomas // Copyright (C) 2010 Hib Eris +// Copyright (C) 2011 William Bader // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc poppler/XRef.cc splash/SplashBitmap.cc splash/Splash.cc splash/SplashErrorCodes.h
poppler/Stream.cc |4 poppler/XRef.cc | 19 +++ splash/Splash.cc |7 +++ splash/SplashBitmap.cc| 37 ++--- splash/SplashErrorCodes.h |4 +++- 5 files changed, 59 insertions(+), 12 deletions(-) New commits: commit 1082e1671afd8ab91583dabc876304008acb021c Author: Albert Astals Cid Date: Fri Oct 16 23:17:22 2009 +0200 Some "security" fixes based on newly released Xpdf 3.02pl4 diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 7137c5e..6634317 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -405,6 +405,10 @@ ImageStream::ImageStream(Stream *strA, int widthA, int nCompsA, int nBitsA) { } else { imgLineSize = nVals; } + if (width > INT_MAX / nComps) { +// force a call to gmallocn(-1,...), which will throw an exception +imgLineSize = -1; + } imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar)); imgIdx = nVals; } diff --git a/poppler/XRef.cc b/poppler/XRef.cc index 832a038..e5fd92a 100644 --- a/poppler/XRef.cc +++ b/poppler/XRef.cc @@ -76,6 +76,8 @@ public: // generation 0. ObjectStream(XRef *xref, int objStrNumA); + GBool isOk() { return ok; } + ~ObjectStream(); // Return the object number of this object stream. @@ -91,6 +93,7 @@ private: int nObjects;// number of objects in the stream Object *objs;// the objects (length = nObjects) int *objNums;// the object numbers (length = nObjects) + GBool ok; }; ObjectStream::ObjectStream(XRef *xref, int objStrNumA) { @@ -104,6 +107,7 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA) { nObjects = 0; objs = NULL; objNums = NULL; + ok = gFalse; if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) { goto err1; @@ -129,11 +133,13 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA) { goto err1; } - if (nObjects >= INT_MAX / (int)sizeof(int)) { -error(-1, "Invalid 'nObjects'"); + // this is an arbitrary limit to avoid integer overflow problems + // in the 'new Object[nObjects]' call (Acrobat apparently limits + // object streams to 100-200 objects) + if (nObjects > 100) { +error(-1, "Too many objects in an object stream"); goto err1; } - objs = new Object[nObjects]; objNums = (int *)gmallocn(nObjects, sizeof(int)); offsets = (int *)gmallocn(nObjects, sizeof(int)); @@ -190,10 +196,10 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA) { } gfree(offsets); + ok = gTrue; err1: objStr.free(); - return; } ObjectStream::~ObjectStream() { @@ -970,6 +976,11 @@ Object *XRef::fetch(int num, int gen, Object *obj) { delete objStr; } objStr = new ObjectStream(this, e->offset); + if (!objStr->isOk()) { + delete objStr; + objStr = NULL; + goto err; + } } objStr->getObject(e->gen, num, obj); break; diff --git a/splash/Splash.cc b/splash/Splash.cc index a1deb85..834cb10 100644 --- a/splash/Splash.cc +++ b/splash/Splash.cc @@ -27,6 +27,7 @@ #include #include +#include #include "goo/gmem.h" #include "SplashErrorCodes.h" #include "SplashMath.h" @@ -2001,6 +2002,9 @@ SplashError Splash::fillImageMask(SplashImageMaskSource src, void *srcData, xq = w % scaledWidth; // allocate pixel buffer + if (yp < 0 || yp > INT_MAX - 1) { +return splashErrBadArg; + } pixBuf = (SplashColorPtr)gmallocn((yp + 1), w); // initialize the pixel pipe @@ -2301,6 +2305,9 @@ SplashError Splash::drawImage(SplashImageSource src, void *srcData, xq = w % scaledWidth; // allocate pixel buffers + if (yp < 0 || yp > INT_MAX - 1) { +return splashErrBadArg; + } colorBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps); if (srcAlpha) { alphaBuf = (Guchar *)gmallocn((yp + 1), w); diff --git a/splash/SplashBitmap.cc b/splash/SplashBitmap.cc index 2337a62..999efd1 100644 --- a/splash/SplashBitmap.cc +++ b/splash/SplashBitmap.cc @@ -29,6 +29,7 @@ #include #include +#include #include "goo/gmem.h" #include "SplashErrorCodes.h" #include "SplashBitmap.h" @@ -48,26 +49,48 @@ SplashBitmap::SplashBitmap(int widthA, int heightA, int rowPad, mode = modeA; switch (mode) { case splashModeMono1: -rowSize = (width + 7) >> 3; +if (width > 0) { + rowSize = (width + 7) >> 3; +} else { + rowSize = -1; +} break; case splashModeMono8: -rowSize = width; +if (width > 0) { + rowSize = width; +} else { + rowSize = -1; +} break; case splashModeRGB8: case splashModeBGR8: -rowSize = width * 3; +if (width > 0 && width <= INT_MAX / 3) { + rowSize = width * 3; +} else { + rowSize = -1; +} break; case splashModeXBGR8: -rowSize = width * 4; +if (width > 0 && width <= INT_MAX / 4) { + rowSize = width * 4; +} else { + rowSize = -1; +}
[poppler] poppler/Stream.cc
poppler/Stream.cc |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) New commits: commit c2458275e02f56226779b82d73c13defcbbda563 Author: Glenn Ganz Date: Fri Oct 16 20:54:32 2009 +0200 fix constructor of DCTStream diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 01efcd6..7137c5e 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -18,6 +18,7 @@ // Copyright (C) 2007 Krzysztof Kowalczyk // Copyright (C) 2008 Julien Rebetez // Copyright (C) 2009 Carlos Garcia Campos +// Copyright (C) 2009 Glenn Ganz // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -2030,7 +2031,7 @@ static const int dctZigZag[64] = { 63 }; -DCTStream::DCTStream(Stream *strA, GBool colorXformA): +DCTStream::DCTStream(Stream *strA, int colorXformA): FilterStream(strA) { int i, j; ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |1 - 1 file changed, 1 deletion(-) New commits: commit 66b34c78943be598778a3ef438b0cefac668c6a2 Author: Albert Astals Cid <[EMAIL PROTECTED]> Date: Sat Aug 2 13:54:34 2008 +0200 This should not be here, breaks jpeg rendering when not using libjpeg That was included erroneously when the file writing code was added diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 667a3e3..b8dd39a 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -2050,7 +2050,6 @@ void DCTStream::unfilteredReset() { numQuantTables = 0; numDCHuffTables = 0; numACHuffTables = 0; - colorXform = 0; gotJFIFMarker = gFalse; gotAdobeMarker = gFalse; restartInterval = 0; ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc | 21 +++-- 1 file changed, 15 insertions(+), 6 deletions(-) New commits: commit 1b3f045a25e5d172357bc87c15ba591c8e1511a7 Author: Albert Astals Cid <[EMAIL PROTECTED]> Date: Thu Nov 8 23:34:07 2007 +0100 Move another gmallocn to gmallocn_checkoverflow. Fixes crashes on incorrect pdf sent by Red Hat diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 85d46bf..3e44e27 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -1261,14 +1261,18 @@ CCITTFaxStream::CCITTFaxStream(Stream *strA, int encodingA, GBool endOfLineA, // ---> max codingLine size = columns + 1 // refLine has one extra guard entry at the end // ---> max refLine size = columns + 2 - codingLine = (int *)gmallocn(columns + 1, sizeof(int)); - refLine = (int *)gmallocn(columns + 2, sizeof(int)); + codingLine = (int *)gmallocn_checkoverflow(columns + 1, sizeof(int)); + refLine = (int *)gmallocn_checkoverflow(columns + 2, sizeof(int)); - eof = gFalse; + if (codingLine != NULL && refLine != NULL) { +eof = gFalse; +codingLine[0] = columns; + } else { +eof = gTrue; + } row = 0; nextLine2D = encoding < 0; inputBits = 0; - codingLine[0] = columns; a0i = 0; outputBits = 0; @@ -1285,11 +1289,16 @@ void CCITTFaxStream::reset() { short code1; str->reset(); - eof = gFalse; + + if (codingLine != NULL && refLine != NULL) { +eof = gFalse; +codingLine[0] = columns; + } else { +eof = gTrue; + } row = 0; nextLine2D = encoding < 0; inputBits = 0; - codingLine[0] = columns; a0i = 0; outputBits = 0; buf = EOF; ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/poppler: Stream.cc,1.14,1.15 Stream.h,1.10,1.11
Update of /cvs/poppler/poppler/poppler In directory kemper:/tmp/cvs-serv15199/poppler Modified Files: Stream.cc Stream.h Log Message: * poppler/Stream.h: * poppler/Stream.cc: Remove MemStream::setNeedFree method i really did not need it * qt4/src/poppler-document.cc: * qt4/src/poppler-link.cc: * qt4/src/poppler-page.cc: * qt4/src/poppler-private.h: Make Document::loadFromData work on documents with a password and don't need to do a malloc and a memcpy. Index: Stream.cc === RCS file: /cvs/poppler/poppler/poppler/Stream.cc,v retrieving revision 1.14 retrieving revision 1.15 diff -u -d -r1.14 -r1.15 --- Stream.cc 13 Jan 2007 17:56:07 - 1.14 +++ Stream.cc 13 Jan 2007 23:19:21 - 1.15 @@ -806,11 +806,6 @@ } } -void MemStream::setNeedFree(GBool needsFree) -{ - needFree = needsFree; -} - // // EmbedStream // Index: Stream.h === RCS file: /cvs/poppler/poppler/poppler/Stream.h,v retrieving revision 1.10 retrieving revision 1.11 diff -u -d -r1.10 -r1.11 --- Stream.h13 Jan 2007 17:56:07 - 1.10 +++ Stream.h13 Jan 2007 23:19:21 - 1.11 @@ -318,7 +318,6 @@ virtual void moveStart(int delta); virtual void doDecryption(Guchar *fileKey, int keyLength, int objNum, int objGen); - void setNeedFree(GBool needsFree); private: ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/poppler: Stream.cc,1.13,1.14 Stream.h,1.9,1.10
Update of /cvs/poppler/poppler/poppler In directory kemper:/tmp/cvs-serv29307/poppler Modified Files: Stream.cc Stream.h Log Message: * poppler/Stream.h: * poppler/Stream.cc: Add MemStream::setNeedFree method * qt4/src/poppler-document.cc: * qt4/src/poppler-private.h: * qt4/src/poppler-qt4.h: Add Document::loadFromData method Index: Stream.cc === RCS file: /cvs/poppler/poppler/poppler/Stream.cc,v retrieving revision 1.13 retrieving revision 1.14 diff -u -d -r1.13 -r1.14 --- Stream.cc 27 Jul 2006 18:17:50 - 1.13 +++ Stream.cc 13 Jan 2007 17:56:07 - 1.14 @@ -806,6 +806,11 @@ } } +void MemStream::setNeedFree(GBool needsFree) +{ + needFree = needsFree; +} + // // EmbedStream // Index: Stream.h === RCS file: /cvs/poppler/poppler/poppler/Stream.h,v retrieving revision 1.9 retrieving revision 1.10 diff -u -d -r1.9 -r1.10 --- Stream.h28 Feb 2006 19:59:58 - 1.9 +++ Stream.h13 Jan 2007 17:56:07 - 1.10 @@ -318,6 +318,7 @@ virtual void moveStart(int delta); virtual void doDecryption(Guchar *fileKey, int keyLength, int objNum, int objGen); + void setNeedFree(GBool needsFree); private: ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/poppler: Stream.cc,1.12,1.13
Update of /cvs/poppler/poppler/poppler In directory kemper:/tmp/cvs-serv1936/poppler Modified Files: Stream.cc Log Message: * poppler/Stream.cc: If you are going to test a variable, better initialize it first ;-) Fixes bug 7646 Index: Stream.cc === RCS file: /cvs/poppler/poppler/poppler/Stream.cc,v retrieving revision 1.12 retrieving revision 1.13 diff -u -d -r1.12 -r1.13 --- Stream.cc 28 Feb 2006 19:59:58 - 1.12 +++ Stream.cc 27 Jul 2006 18:17:50 - 1.13 @@ -421,13 +421,13 @@ predLine = NULL; ok = gFalse; + nVals = width * nComps; if (width <= 0 || nComps <= 0 || nBits <= 0 || nComps >= INT_MAX/nBits || width >= INT_MAX/nComps/nBits || nVals * nBits + 7 < 0) { return; } - nVals = width * nComps; totalBits = nVals * nBits; if (totalBits == 0 || (totalBits / nBits) / nComps != width || ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler