[poppler] poppler/Stream.cc
poppler/Stream.cc |9 +
1 file changed, 5 insertions(+), 4 deletions(-)
New commits:
commit 2cf3cf58ed9f70b99e6ee93c57bb434a52a0e857
Author: Albert Astals Cid
Date: Thu Apr 27 11:50:45 2023 +0200
Check overflow in nvals correctly
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 07720632..42d18880 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -14,7 +14,7 @@
// under GPL version 2 or later
//
// Copyright (C) 2005 Jeff Muizelaar
-// Copyright (C) 2006-2010, 2012-2014, 2016-2021 Albert Astals Cid
+// Copyright (C) 2006-2010, 2012-2014, 2016-2021, 2023 Albert Astals Cid
// Copyright (C) 2007 Krzysztof Kowalczyk
// Copyright (C) 2008 Julien Rebetez
// Copyright (C) 2009 Carlos Garcia Campos
@@ -728,9 +728,10 @@ StreamPredictor::StreamPredictor(Stream *strA, int
predictorA, int widthA, int n
predLine = nullptr;
ok = false;
-nVals = width * nComps;
-if (width <= 0 || nComps <= 0 || nBits <= 0 || nComps > gfxColorMaxComps
|| nBits > 16 || width >= INT_MAX / nComps || // check for overflow in nVals
-nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes
+if (checkedMultiply(width, nComps, &nVals)) {
+return;
+}
+if (width <= 0 || nComps <= 0 || nBits <= 0 || nComps > gfxColorMaxComps
|| nBits > 16 || nVals >= (INT_MAX - 7) / nBits) { // check for overflow in
rowBytes
return;
}
pixBytes = (nComps * nBits + 7) >> 3;
[poppler] poppler/Stream.cc
poppler/Stream.cc | 22 ++
1 file changed, 14 insertions(+), 8 deletions(-)
New commits:
commit d049732d60c8c44f8945f5a99ab6a4d7c252
Author: Albert Astals Cid
Date: Tue Jan 5 23:55:46 2021 +0100
Generalize the EOFStream wrapping EOFStream code
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index cd1189d4..666d5b2a 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -167,6 +167,16 @@ GooString *Stream::getPSFilter(int psLevel, const char
*indent)
return new GooString();
}
+static Stream *wrapEOFStream(Stream *str)
+{
+if (dynamic_cast(str)) {
+// str is already a EOFStream, no need to wrap it in another EOFStream
+return str;
+} else {
+return new EOFStream(str);
+}
+}
+
Stream *Stream::addFilters(Dict *dict, int recursion)
{
Object obj, obj2;
@@ -196,11 +206,7 @@ Stream *Stream::addFilters(Dict *dict, int recursion)
str = makeFilter(obj2.getName(), str, ¶ms2, recursion);
} else {
error(errSyntaxError, getPos(), "Bad filter name");
-if (dynamic_cast(str)) {
-// str is already a EOFStream, no need to wrap it in
another EOFStream
-} else {
-str = new EOFStream(str);
-}
+str = wrapEOFStream(str);
}
}
} else if (!obj.isNull()) {
@@ -342,7 +348,7 @@ Stream *Stream::makeFilter(const char *name, Stream *str,
Object *params, int re
str = new DCTStream(str, colorXform, dict, recursion);
#else
error(errSyntaxError, getPos(), "Unknown filter '{0:s}'", name);
-str = new EOFStream(str);
+str = wrapEOFStream(str);
#endif
} else if (!strcmp(name, "FlateDecode") || !strcmp(name, "Fl")) {
pred = 1;
@@ -377,7 +383,7 @@ Stream *Stream::makeFilter(const char *name, Stream *str,
Object *params, int re
str = new JPXStream(str);
#else
error(errSyntaxError, getPos(), "Unknown filter '{0:s}'", name);
-str = new EOFStream(str);
+str = wrapEOFStream(str);
#endif
} else if (!strcmp(name, "Crypt")) {
if (str->getKind() == strCrypt) {
@@ -387,7 +393,7 @@ Stream *Stream::makeFilter(const char *name, Stream *str,
Object *params, int re
}
} else {
error(errSyntaxError, getPos(), "Unknown filter '{0:s}'", name);
-str = new EOFStream(str);
+str = wrapEOFStream(str);
}
return str;
}
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit af267b33cc42ccb9d1a89e06fed1481657c4b3f0 Author: Albert Astals Cid Date: Sun Jan 3 12:25:01 2021 +0100 Update (C) diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 3518c257..cd1189d4 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -14,7 +14,7 @@ // under GPL version 2 or later // // Copyright (C) 2005 Jeff Muizelaar -// Copyright (C) 2006-2010, 2012-2014, 2016-2020 Albert Astals Cid +// Copyright (C) 2006-2010, 2012-2014, 2016-2021 Albert Astals Cid // Copyright (C) 2007 Krzysztof Kowalczyk // Copyright (C) 2008 Julien Rebetez // Copyright (C) 2009 Carlos Garcia Campos ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
New commits:
commit 72183a3ff881316bb470cc0f6db08cf9ef044e53
Author: Albert Astals Cid
Date: Sun Jan 3 12:10:55 2021 +0100
Don't wrap EOFStream in an EOFStream
It's unneeded and can be relatively easily used to create stack
overflows
oss-fuzz/29184
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index fb36e712..3518c257 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -196,7 +196,11 @@ Stream *Stream::addFilters(Dict *dict, int recursion)
str = makeFilter(obj2.getName(), str, ¶ms2, recursion);
} else {
error(errSyntaxError, getPos(), "Bad filter name");
-str = new EOFStream(str);
+if (dynamic_cast(str)) {
+// str is already a EOFStream, no need to wrap it in
another EOFStream
+} else {
+str = new EOFStream(str);
+}
}
}
} else if (!obj.isNull()) {
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc | 15 +--
1 file changed, 9 insertions(+), 6 deletions(-)
New commits:
commit cd145d56617e7e7501a0054f42b9068babed3dc5
Author: Albert Astals Cid
Date: Fri Nov 20 09:13:34 2020 +0100
Fix rendering of some files
StreamPredictor::getNextLine when predictori == 2 && nBits == 1 && nComps
== 1
Issue #976
Issue #567
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 83c5f75e..ba35a10f 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -749,7 +749,7 @@ bool StreamPredictor::getNextLine()
unsigned char upLeftBuf[gfxColorMaxComps * 2 + 1];
int left, up, upLeft, p, pa, pb, pc;
int c;
-unsigned long inBuf, outBuf, bitMask;
+unsigned long inBuf, outBuf;
int inBits, outBits;
int i, j, k, kk;
@@ -822,10 +822,13 @@ bool StreamPredictor::getNextLine()
if (predictor == 2) {
if (nBits == 1 && nComps == 1) {
inBuf = predLine[pixBytes - 1];
-for (i = pixBytes; i < rowBytes; i += 8) {
-// 1-bit add is just xor
-inBuf = (inBuf << 8) | predLine[i];
-predLine[i] ^= inBuf >> nComps;
+for (i = pixBytes; i < rowBytes; ++i) {
+c = predLine[i] ^ inBuf;
+c ^= c >> 1;
+c ^= c >> 2;
+c ^= c >> 4;
+inBuf = (c & 1) << 7;
+predLine[i] = c;
}
} else if (nBits == 8) {
for (i = pixBytes; i < rowBytes; ++i) {
@@ -833,7 +836,7 @@ bool StreamPredictor::getNextLine()
}
} else {
memset(upLeftBuf, 0, nComps + 1);
-bitMask = (1 << nBits) - 1;
+const unsigned long bitMask = (1 << nBits) - 1;
inBuf = outBuf = 0;
inBits = outBits = 0;
j = k = pixBytes;
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc poppler/Stream.h
poppler/Stream.cc |2 +- poppler/Stream.h |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) New commits: commit 56cf80b2c53fa61d29b4718df092248a062c61e0 Author: Albert Astals Cid Date: Mon Sep 14 22:56:15 2020 +0200 Update (C) diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 2220f29c..c36ce113 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -22,7 +22,7 @@ // Copyright (C) 2009 Stefan Thomas // Copyright (C) 2010 Hib Eris // Copyright (C) 2010 Tomas Hoger -// Copyright (C) 2011, 2012, 2016 William Bader +// Copyright (C) 2011, 2012, 2016, 2020 William Bader // Copyright (C) 2012, 2013, 2020 Thomas Freitag // Copyright (C) 2012 Oliver Sander // Copyright (C) 2012 Fabio D'Urso diff --git a/poppler/Stream.h b/poppler/Stream.h index abd60d4b..7d51db60 100644 --- a/poppler/Stream.h +++ b/poppler/Stream.h @@ -19,7 +19,7 @@ // Copyright (C) 2009 Carlos Garcia Campos // Copyright (C) 2009 Stefan Thomas // Copyright (C) 2010 Hib Eris -// Copyright (C) 2011, 2012, 2016 William Bader +// Copyright (C) 2011, 2012, 2016, 2020 William Bader // Copyright (C) 2012, 2013 Thomas Freitag // Copyright (C) 2012, 2013 Fabio D'Urso // Copyright (C) 2013, 2017 Adrian Johnson ___ poppler mailing list poppler@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc poppler/Stream.h
poppler/Stream.cc | 50 ++
poppler/Stream.h |4 ++--
2 files changed, 28 insertions(+), 26 deletions(-)
New commits:
commit 7b9aa28e5eb613e7a9d7c6c688aea4025a35543a
Author: Albert Astals Cid
Date: Sun Sep 29 17:59:52 2019 +0200
Also switch the const_cast in Stream
This way we only const_cast in free()
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index bd918efb..8c29f8eb 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -4433,7 +4433,7 @@ static const FlateCode flateFixedLitCodeTabCodes[512] = {
};
FlateHuffmanTab FlateStream::fixedLitCodeTab = {
- const_cast(flateFixedLitCodeTabCodes), 9
+ flateFixedLitCodeTabCodes, 9
};
static const FlateCode flateFixedDistCodeTabCodes[32] = {
@@ -4472,7 +4472,7 @@ static const FlateCode flateFixedDistCodeTabCodes[32] = {
};
FlateHuffmanTab FlateStream::fixedDistCodeTab = {
- const_cast(flateFixedDistCodeTabCodes), 5
+ flateFixedDistCodeTabCodes, 5
};
FlateStream::FlateStream(Stream *strA, int predictor, int columns,
@@ -4494,10 +4494,10 @@ FlateStream::FlateStream(Stream *strA, int predictor,
int columns,
FlateStream::~FlateStream() {
if (litCodeTab.codes != fixedLitCodeTab.codes) {
-gfree(litCodeTab.codes);
+gfree(const_cast(litCodeTab.codes));
}
if (distCodeTab.codes != fixedDistCodeTab.codes) {
-gfree(distCodeTab.codes);
+gfree(const_cast(distCodeTab.codes));
}
if (pred) {
delete pred;
@@ -4685,11 +4685,11 @@ bool FlateStream::startBlock() {
// free the code tables from the previous block
if (litCodeTab.codes != fixedLitCodeTab.codes) {
-gfree(litCodeTab.codes);
+gfree(const_cast(litCodeTab.codes));
}
litCodeTab.codes = nullptr;
if (distCodeTab.codes != fixedDistCodeTab.codes) {
-gfree(distCodeTab.codes);
+gfree(const_cast(distCodeTab.codes));
}
distCodeTab.codes = nullptr;
@@ -4791,7 +4791,7 @@ bool FlateStream::readDynamicCodes() {
goto err;
}
}
- compHuffmanCodes(codeLenCodeLengths, flateMaxCodeLenCodes, &codeLenCodeTab);
+ codeLenCodeTab.codes = compHuffmanCodes(codeLenCodeLengths,
flateMaxCodeLenCodes, &codeLenCodeTab.maxLen);
// build the literal and distance code tables
len = 0;
@@ -4840,44 +4840,44 @@ bool FlateStream::readDynamicCodes() {
codeLengths[i++] = len = code;
}
}
- compHuffmanCodes(codeLengths, numLitCodes, &litCodeTab);
- compHuffmanCodes(codeLengths + numLitCodes, numDistCodes, &distCodeTab);
+ litCodeTab.codes = compHuffmanCodes(codeLengths, numLitCodes,
&litCodeTab.maxLen);
+ distCodeTab.codes = compHuffmanCodes(codeLengths + numLitCodes,
numDistCodes, &distCodeTab.maxLen);
- gfree(codeLenCodeTab.codes);
+ gfree(const_cast(codeLenCodeTab.codes));
return true;
err:
error(errSyntaxError, getPos(), "Bad dynamic code table in flate stream");
- gfree(codeLenCodeTab.codes);
+ gfree(const_cast(codeLenCodeTab.codes));
return false;
}
// Convert an array of lengths, in value order, into a
// Huffman code lookup table.
-void FlateStream::compHuffmanCodes(int *lengths, int n, FlateHuffmanTab *tab) {
- int tabSize, len, code, code2, skip, val, i, t;
+FlateCode *FlateStream::compHuffmanCodes(const int *lengths, int n, int
*maxLen) {
+ int len, code, code2, skip, val, i, t;
// find max code length
- tab->maxLen = 0;
+ *maxLen = 0;
for (val = 0; val < n; ++val) {
-if (lengths[val] > tab->maxLen) {
- tab->maxLen = lengths[val];
+if (lengths[val] > *maxLen) {
+ *maxLen = lengths[val];
}
}
// allocate the table
- tabSize = 1 << tab->maxLen;
- tab->codes = (FlateCode *)gmallocn(tabSize, sizeof(FlateCode));
+ const int tabSize = 1 << *maxLen;
+ FlateCode *codes = (FlateCode *)gmallocn(tabSize, sizeof(FlateCode));
// clear the table
for (i = 0; i < tabSize; ++i) {
-tab->codes[i].len = 0;
-tab->codes[i].val = 0;
+codes[i].len = 0;
+codes[i].val = 0;
}
// build the table
for (len = 1, code = 0, skip = 2;
- len <= tab->maxLen;
+ len <= *maxLen;
++len, code <<= 1, skip <<= 1) {
for (val = 0; val < n; ++val) {
if (lengths[val] == len) {
@@ -4892,18 +4892,20 @@ void FlateStream::compHuffmanCodes(int *lengths, int n,
FlateHuffmanTab *tab) {
// fill in the table entries
for (i = code2; i < tabSize; i += skip) {
- tab->codes[i].len = (unsigned short)len;
- tab->codes[i].val = (unsigned short)val;
+ codes[i].len = (unsigned short)len;
+ codes[i].val = (unsigned short)val;
}
++code;
}
}
}
+
+ return codes;
}
int FlateStream::getHuffmanCodeWord(FlateHuffmanTab *tab) {
- FlateCode *code;
+ const FlateCode *code;
int c;
while (codeSize < tab->maxLen) {
diff --git a/poppler/Stream.h b/poppler/Stream.h
index 58246f19..1b0ae69b 100644
--- a/poppler/Stream.h
+++ b/poppler/Stream.h
@@ -1065,7 +1065,7 @@ struct Flate
[poppler] poppler/Stream.cc
poppler/Stream.cc |3 +++
1 file changed, 3 insertions(+)
New commits:
commit f4136a6353162db249f63ddb0f20611622ab61b4
Author: Albert Astals Cid
Date: Wed Feb 27 19:43:22 2019 +0100
ImageStream::getLine: fix crash on broken files
Fixes #728
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 33537b0e..a41435ab 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -496,6 +496,9 @@ unsigned char *ImageStream::getLine() {
}
int readChars = str->doGetChars(inputLineSize, inputLine);
+ if (unlikely(readChars == -1)) {
+ readChars = 0;
+ }
for ( ; readChars < inputLineSize; readChars++) inputLine[readChars] = EOF;
if (nBits == 1) {
unsigned char *p = inputLine;
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
New commits:
commit ff1ab1b0c9b265df1fd07380cd78ca0daa63d642
Author: Vincent Le Garrec
Date: Sat Feb 2 04:25:52 2019 +0100
Undefined-shift in StreamPredictor::getNextLine
oss-fuzz/10284
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 25ec3c68..6a6b46a2 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -35,6 +35,7 @@
// Copyright (C) 2017 Jose Aliste
// Copyright (C) 2017 Kay Dohmann
// Copyright (C) 2019 Christian Persch
+// Copyright (C) 2019 LE GARREC Vincent
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -712,7 +713,7 @@ bool StreamPredictor::getNextLine() {
j = k = pixBytes;
for (i = 0; i < width; ++i) {
for (kk = 0; kk < nComps; ++kk) {
- if (inBits < nBits) {
+ while (inBits < nBits) {
inBuf = (inBuf << 8) | (predLine[j++] & 0xff);
inBits += 8;
}
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc | 27 ++-
1 file changed, 26 insertions(+), 1 deletion(-)
New commits:
commit c3a2c11a966a8e260a44716cbb0e26fa437b8f8d
Author: Albert Astals Cid
Date: Sun Oct 21 11:29:44 2018 +0200
Stream::makeFilter: Fix memory leak
fixes oss-fuzz/9614
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 4c5380e0..cc5e28dd 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -180,6 +180,31 @@ Stream *Stream::addFilters(Dict *dict, int recursion) {
return str;
}
+class BaseStreamStream : public Stream
+{
+public:
+ BaseStreamStream(Stream *strA) : str(strA)
+ {
+ }
+
+ StreamKind getKind() override { return str->getBaseStream()->getKind(); }
+ void reset() override { str->getBaseStream()->reset(); }
+ int getChar() override { return str->getBaseStream()->getChar(); }
+ int lookChar() override { return str->getBaseStream()->lookChar(); }
+ bool isBinary(bool last = true) override { return
str->getBaseStream()->isBinary(); }
+ int getUnfilteredChar () override { return
str->getBaseStream()->getUnfilteredChar(); }
+ void unfilteredReset () override { str->getBaseStream()->unfilteredReset(); }
+ Goffset getPos() override { return str->getBaseStream()->getPos(); }
+ void setPos(Goffset pos, int dir) override {
str->getBaseStream()->setPos(pos, dir); }
+ BaseStream *getBaseStream() override { return
str->getBaseStream()->getBaseStream(); }
+ Stream *getUndecodedStream() override { return
str->getBaseStream()->getUndecodedStream(); }
+ Dict *getDict() override { return str->getBaseStream()->getDict(); }
+ Object *getDictObject() override { return
str->getBaseStream()->getDictObject(); }
+
+private:
+ std::unique_ptr str;
+};
+
Stream *Stream::makeFilter(const char *name, Stream *str, Object *params, int
recursion, Dict *dict) {
int pred;// parameters
int colors;
@@ -315,7 +340,7 @@ Stream *Stream::makeFilter(const char *name, Stream *str,
Object *params, int re
#endif
} else if (!strcmp(name, "Crypt")) {
if (str->getKind() == strCrypt) {
- str = str->getBaseStream();
+ str = new BaseStreamStream(str);
} else {
error(errSyntaxError, getPos(), "Can't revert non decrypt streams");
}
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit e4f4cbddd11ae6386985879187007fa5add43624
Author: Albert Astals Cid
Date: Tue Jun 12 09:32:57 2018 +0200
StreamPredictor: Move pixBytes calculation after checks
fixes oss-fuzz/8835
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 5e5eb335..21bd3b9b 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -572,7 +572,6 @@ StreamPredictor::StreamPredictor(Stream *strA, int
predictorA,
ok = gFalse;
nVals = width * nComps;
- pixBytes = (nComps * nBits + 7) >> 3;
if (width <= 0 || nComps <= 0 || nBits <= 0 ||
nComps > gfxColorMaxComps ||
nBits > 16 ||
@@ -580,6 +579,7 @@ StreamPredictor::StreamPredictor(Stream *strA, int
predictorA,
nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes
return;
}
+ pixBytes = (nComps * nBits + 7) >> 3;
rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
predLine = (Guchar *)gmalloc(rowBytes);
memset(predLine, 0, rowBytes);
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
Re: [poppler] poppler/Stream.cc
El dissabte, 26 de maig de 2018, a les 11:17:31 CEST, Adam Reichold va
escriure:
> Hello,
>
> Am 26.05.2018 um 10:59 schrieb Albert Astals Cid:
> > El dimecres, 23 de maig de 2018, a les 21:46:02 CEST, Adam Reichold va
escriure:
> >> Hello again,
> >>
> >> attached the patch. It declares inputBuf as unsigned so all bit shifts
> >> happen on unsigned values. ctest at least seems to be happy.
> >
> > Interestingly the automagic fuzzer service says that the issue with
> > LZWStream::getCode doing left shift on negative values has been fixed by
> > a commit in this range
> > https://cgit.freedesktop.org/poppler/poppler/diff/?id2=76820f5ab932a9ed18
> > 913bc7d1a452ddf060c133&id=f966b9096d046aaee4891de11f74207218cc929b
> Are you sure this is exhaustive?
It's totally not exhaustive :D
> I suspect the fuzzer randomly explores
> the input space, probably coverage guided? So couldn't it be that it
> just did not hit the issue again yet, since from looking at the code,
> inputBuf could very well become negative when considered as a signed
> integer depending on the specific input bytes.
You're right, actually i have "real" pdf files that used to depend on the gcc
implementation of the undefined behaviour (that's how i realized that my
initial change was causing a regression), so I've commited your change now :)
Cheers,
Albert
>
> Best regards,
> Adam
>
> > So i guess for not better not to touch this code.
> >
> > Thanks for the patch though :)
> >
> > Cheers,
> >
> > Albert
> >>
> >> It does build without the casts as well but I am not completely sure
> >> about the language legalese behind this and hence left them in and also
> >> for explicitness.
> >>
> >> Proper fix would probably be to converted all of the LZW decoding to use
> >> unsigned values.
> >>
> >> Best regards,
> >> Adam
> >>
> >> Am 23.05.2018 um 21:24 schrieb Albert Astals Cid:
> >>> El dimecres, 23 de maig de 2018, a les 8:57:27 CEST, Adam Reichold va
> >>>
> >>> escriure:
> Hello,
>
> maybe the simplest solution would to turn inputBuf into an unsigned int
> and convert to signed int after extracting the bits out of it?
> >>>
> >>> Yeah that sounds like a plan, could you try to produce a patch so i can
> >>> run it through regtest?
> >>>
> >>> Cheers,
> >>>
> >>> Albert
>
> Best regards,
> Adam
>
> Am 23.05.2018 um 00:24 schrieb Albert Astals Cid:
> > poppler/Stream.cc |4 +---
> > 1 file changed, 1 insertion(+), 3 deletions(-)
> >
> > New commits:
> > commit 58e056c4b15f262b7715f8061d6885eb80044d0d
> > Author: Albert Astals Cid
> > Date: Wed May 23 00:23:19 2018 +0200
> >
> > Revert 31c3832b996acbf04ea833e304d7d21ac4533a57
> >
> > So shifting left negative values is undefined behaviour according
> > to
> > the
> > spec but if we don't do it we break, so we seem to be depending on
> > this
> > undefined behaviour, will try to figure out a better fix
> >
> > diff --git a/poppler/Stream.cc b/poppler/Stream.cc
> > index b6bfd838..4f075c12 100644
> > --- a/poppler/Stream.cc
> > +++ b/poppler/Stream.cc
> > @@ -1445,9 +1445,7 @@ int LZWStream::getCode() {
> >
> >while (inputBits < nextBits) {
> >
> > if ((c = str->getChar()) == EOF)
> >
> >return EOF;
> >
> > -if (likely(inputBuf >= 0)) {
> > -inputBuf = (inputBuf << 8) | (c & 0xff);
> > -}
> > +inputBuf = (inputBuf << 8) | (c & 0xff);
> >
> > inputBits += 8;
> >
> >}
> >code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) -
> >1);
> >
> > ___
> > poppler mailing list
> > poppler@lists.freedesktop.org
> > https://lists.freedesktop.org/mailman/listinfo/poppler
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc poppler/Stream.h
poppler/Stream.cc |6 +++---
poppler/Stream.h |4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
New commits:
commit 1bc71245fa88dc23dc355f926f50f04896739fff
Author: Adam Reichold
Date: Sat May 26 11:54:41 2018 +0200
LZWStream: make inputBuf unsigned
since shifting negative numbers is undefined according to spec
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index f701789f..5e5eb335 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -28,7 +28,7 @@
// Copyright (C) 2012 Fabio D'Urso
// Copyright (C) 2012 Even Rouault
// Copyright (C) 2013, 2017, 2018 Adrian Johnson
-// Copyright (C) 2013 Adam Reichold
+// Copyright (C) 2013, 2018 Adam Reichold
// Copyright (C) 2013 Pino Toscano
// Copyright (C) 2015 Suzuki Toshiya
// Copyright (C) 2015 Jason Crain
@@ -1445,10 +1445,10 @@ int LZWStream::getCode() {
while (inputBits < nextBits) {
if ((c = str->getChar()) == EOF)
return EOF;
-inputBuf = (inputBuf << 8) | (c & 0xff);
+inputBuf = (inputBuf << 8) | static_cast(c & 0xff);
inputBits += 8;
}
- code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1);
+ code = static_cast((inputBuf >> (inputBits - nextBits)) & ((1 <<
nextBits) - 1));
inputBits -= nextBits;
return code;
}
diff --git a/poppler/Stream.h b/poppler/Stream.h
index a3faccd9..841c87a8 100644
--- a/poppler/Stream.h
+++ b/poppler/Stream.h
@@ -24,7 +24,7 @@
// Copyright (C) 2012, 2013 Fabio D'Urso
// Copyright (C) 2013, 2017 Adrian Johnson
// Copyright (C) 2013 Peter Breitenlohner
-// Copyright (C) 2013 Adam Reichold
+// Copyright (C) 2013, 2018 Adam Reichold
// Copyright (C) 2013 Pino Toscano
//
// To see a description of the changes please see the Changelog file that
@@ -823,7 +823,7 @@ private:
StreamPredictor *pred; // predictor
int early; // early parameter
GBool eof; // true if at eof
- int inputBuf;// input buffer
+ unsigned int inputBuf; // input buffer
int inputBits; // number of bits in input buffer
struct { // decoding table
int length;
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
Re: [poppler] poppler/Stream.cc
Hello,
Am 26.05.2018 um 10:59 schrieb Albert Astals Cid:
> El dimecres, 23 de maig de 2018, a les 21:46:02 CEST, Adam Reichold va
> escriure:
>> Hello again,
>>
>> attached the patch. It declares inputBuf as unsigned so all bit shifts
>> happen on unsigned values. ctest at least seems to be happy.
>
> Interestingly the automagic fuzzer service says that the issue with
> LZWStream::getCode doing left shift on negative values has been fixed by a
> commit in this range
> https://cgit.freedesktop.org/poppler/poppler/diff/?id2=76820f5ab932a9ed18913bc7d1a452ddf060c133&id=f966b9096d046aaee4891de11f74207218cc929b
Are you sure this is exhaustive? I suspect the fuzzer randomly explores
the input space, probably coverage guided? So couldn't it be that it
just did not hit the issue again yet, since from looking at the code,
inputBuf could very well become negative when considered as a signed
integer depending on the specific input bytes.
Best regards,
Adam
> So i guess for not better not to touch this code.
>
> Thanks for the patch though :)
>
> Cheers,
> Albert
>
>>
>> It does build without the casts as well but I am not completely sure
>> about the language legalese behind this and hence left them in and also
>> for explicitness.
>>
>> Proper fix would probably be to converted all of the LZW decoding to use
>> unsigned values.
>>
>> Best regards,
>> Adam
>>
>> Am 23.05.2018 um 21:24 schrieb Albert Astals Cid:
>>> El dimecres, 23 de maig de 2018, a les 8:57:27 CEST, Adam Reichold va
>>>
>>> escriure:
Hello,
maybe the simplest solution would to turn inputBuf into an unsigned int
and convert to signed int after extracting the bits out of it?
>>>
>>> Yeah that sounds like a plan, could you try to produce a patch so i can
>>> run it through regtest?
>>>
>>> Cheers,
>>>
>>> Albert
Best regards,
Adam
Am 23.05.2018 um 00:24 schrieb Albert Astals Cid:
> poppler/Stream.cc |4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> New commits:
> commit 58e056c4b15f262b7715f8061d6885eb80044d0d
> Author: Albert Astals Cid
> Date: Wed May 23 00:23:19 2018 +0200
>
> Revert 31c3832b996acbf04ea833e304d7d21ac4533a57
>
> So shifting left negative values is undefined behaviour according to
> the
> spec but if we don't do it we break, so we seem to be depending on
> this
> undefined behaviour, will try to figure out a better fix
>
> diff --git a/poppler/Stream.cc b/poppler/Stream.cc
> index b6bfd838..4f075c12 100644
> --- a/poppler/Stream.cc
> +++ b/poppler/Stream.cc
> @@ -1445,9 +1445,7 @@ int LZWStream::getCode() {
>
>while (inputBits < nextBits) {
>
> if ((c = str->getChar()) == EOF)
>
>return EOF;
>
> -if (likely(inputBuf >= 0)) {
> -inputBuf = (inputBuf << 8) | (c & 0xff);
> -}
> +inputBuf = (inputBuf << 8) | (c & 0xff);
>
> inputBits += 8;
>
>}
>code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1);
>
> ___
> poppler mailing list
> poppler@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/poppler
>
>
>
>
>
signature.asc
Description: OpenPGP digital signature
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
Re: [poppler] poppler/Stream.cc
El dimecres, 23 de maig de 2018, a les 21:46:02 CEST, Adam Reichold va escriure:
> Hello again,
>
> attached the patch. It declares inputBuf as unsigned so all bit shifts
> happen on unsigned values. ctest at least seems to be happy.
Interestingly the automagic fuzzer service says that the issue with
LZWStream::getCode doing left shift on negative values has been fixed by a
commit in this range
https://cgit.freedesktop.org/poppler/poppler/diff/?id2=76820f5ab932a9ed18913bc7d1a452ddf060c133&id=f966b9096d046aaee4891de11f74207218cc929b
So i guess for not better not to touch this code.
Thanks for the patch though :)
Cheers,
Albert
>
> It does build without the casts as well but I am not completely sure
> about the language legalese behind this and hence left them in and also
> for explicitness.
>
> Proper fix would probably be to converted all of the LZW decoding to use
> unsigned values.
>
> Best regards,
> Adam
>
> Am 23.05.2018 um 21:24 schrieb Albert Astals Cid:
> > El dimecres, 23 de maig de 2018, a les 8:57:27 CEST, Adam Reichold va
> >
> > escriure:
> >> Hello,
> >>
> >> maybe the simplest solution would to turn inputBuf into an unsigned int
> >> and convert to signed int after extracting the bits out of it?
> >
> > Yeah that sounds like a plan, could you try to produce a patch so i can
> > run it through regtest?
> >
> > Cheers,
> >
> > Albert
> >>
> >> Best regards,
> >> Adam
> >>
> >> Am 23.05.2018 um 00:24 schrieb Albert Astals Cid:
> >>> poppler/Stream.cc |4 +---
> >>> 1 file changed, 1 insertion(+), 3 deletions(-)
> >>>
> >>> New commits:
> >>> commit 58e056c4b15f262b7715f8061d6885eb80044d0d
> >>> Author: Albert Astals Cid
> >>> Date: Wed May 23 00:23:19 2018 +0200
> >>>
> >>> Revert 31c3832b996acbf04ea833e304d7d21ac4533a57
> >>>
> >>> So shifting left negative values is undefined behaviour according to
> >>> the
> >>> spec but if we don't do it we break, so we seem to be depending on
> >>> this
> >>> undefined behaviour, will try to figure out a better fix
> >>>
> >>> diff --git a/poppler/Stream.cc b/poppler/Stream.cc
> >>> index b6bfd838..4f075c12 100644
> >>> --- a/poppler/Stream.cc
> >>> +++ b/poppler/Stream.cc
> >>> @@ -1445,9 +1445,7 @@ int LZWStream::getCode() {
> >>>
> >>>while (inputBits < nextBits) {
> >>>
> >>> if ((c = str->getChar()) == EOF)
> >>>
> >>>return EOF;
> >>>
> >>> -if (likely(inputBuf >= 0)) {
> >>> -inputBuf = (inputBuf << 8) | (c & 0xff);
> >>> -}
> >>> +inputBuf = (inputBuf << 8) | (c & 0xff);
> >>>
> >>> inputBits += 8;
> >>>
> >>>}
> >>>code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1);
> >>>
> >>> ___
> >>> poppler mailing list
> >>> poppler@lists.freedesktop.org
> >>> https://lists.freedesktop.org/mailman/listinfo/poppler
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit db73587c566f8e50f03b24628e8948a558ee7039
Author: Albert Astals Cid
Date: Thu May 24 11:56:39 2018 +0200
StreamPredictor: move rowBytes calculation after overflow check
fixes oss-fuzz/8498
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 4f075c12..f701789f 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -573,7 +573,6 @@ StreamPredictor::StreamPredictor(Stream *strA, int
predictorA,
nVals = width * nComps;
pixBytes = (nComps * nBits + 7) >> 3;
- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
if (width <= 0 || nComps <= 0 || nBits <= 0 ||
nComps > gfxColorMaxComps ||
nBits > 16 ||
@@ -581,6 +580,7 @@ StreamPredictor::StreamPredictor(Stream *strA, int
predictorA,
nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes
return;
}
+ rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
predLine = (Guchar *)gmalloc(rowBytes);
memset(predLine, 0, rowBytes);
predIdx = rowBytes;
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
Re: [poppler] poppler/Stream.cc
Hello again,
attached the patch. It declares inputBuf as unsigned so all bit shifts
happen on unsigned values. ctest at least seems to be happy.
It does build without the casts as well but I am not completely sure
about the language legalese behind this and hence left them in and also
for explicitness.
Proper fix would probably be to converted all of the LZW decoding to use
unsigned values.
Best regards,
Adam
Am 23.05.2018 um 21:24 schrieb Albert Astals Cid:
> El dimecres, 23 de maig de 2018, a les 8:57:27 CEST, Adam Reichold va
> escriure:
>> Hello,
>>
>> maybe the simplest solution would to turn inputBuf into an unsigned int
>> and convert to signed int after extracting the bits out of it?
>
> Yeah that sounds like a plan, could you try to produce a patch so i can run
> it
> through regtest?
>
> Cheers,
> Albert
>
>>
>> Best regards,
>> Adam
>>
>> Am 23.05.2018 um 00:24 schrieb Albert Astals Cid:
>>> poppler/Stream.cc |4 +---
>>> 1 file changed, 1 insertion(+), 3 deletions(-)
>>>
>>> New commits:
>>> commit 58e056c4b15f262b7715f8061d6885eb80044d0d
>>> Author: Albert Astals Cid
>>> Date: Wed May 23 00:23:19 2018 +0200
>>>
>>> Revert 31c3832b996acbf04ea833e304d7d21ac4533a57
>>>
>>> So shifting left negative values is undefined behaviour according to
>>> the
>>> spec but if we don't do it we break, so we seem to be depending on
>>> this
>>> undefined behaviour, will try to figure out a better fix
>>>
>>> diff --git a/poppler/Stream.cc b/poppler/Stream.cc
>>> index b6bfd838..4f075c12 100644
>>> --- a/poppler/Stream.cc
>>> +++ b/poppler/Stream.cc
>>> @@ -1445,9 +1445,7 @@ int LZWStream::getCode() {
>>>
>>>while (inputBits < nextBits) {
>>>
>>> if ((c = str->getChar()) == EOF)
>>>
>>>return EOF;
>>>
>>> -if (likely(inputBuf >= 0)) {
>>> -inputBuf = (inputBuf << 8) | (c & 0xff);
>>> -}
>>> +inputBuf = (inputBuf << 8) | (c & 0xff);
>>>
>>> inputBits += 8;
>>>
>>>}
>>>code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1);
>>>
>>> ___
>>> poppler mailing list
>>> poppler@lists.freedesktop.org
>>> https://lists.freedesktop.org/mailman/listinfo/poppler
>
>
>
>
>
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 4f075c12..63c803dd 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -1445,10 +1445,10 @@ int LZWStream::getCode() {
while (inputBits < nextBits) {
if ((c = str->getChar()) == EOF)
return EOF;
-inputBuf = (inputBuf << 8) | (c & 0xff);
+inputBuf = (inputBuf << 8) | static_cast(c & 0xff);
inputBits += 8;
}
- code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1);
+ code = static_cast((inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1));
inputBits -= nextBits;
return code;
}
diff --git a/poppler/Stream.h b/poppler/Stream.h
index a3faccd9..dff7978d 100644
--- a/poppler/Stream.h
+++ b/poppler/Stream.h
@@ -823,7 +823,7 @@ private:
StreamPredictor *pred; // predictor
int early; // early parameter
GBool eof; // true if at eof
- int inputBuf; // input buffer
+ unsigned inputBuf; // input buffer
int inputBits; // number of bits in input buffer
struct { // decoding table
int length;
signature.asc
Description: OpenPGP digital signature
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
Re: [poppler] poppler/Stream.cc
El dimecres, 23 de maig de 2018, a les 8:57:27 CEST, Adam Reichold va
escriure:
> Hello,
>
> maybe the simplest solution would to turn inputBuf into an unsigned int
> and convert to signed int after extracting the bits out of it?
Yeah that sounds like a plan, could you try to produce a patch so i can run it
through regtest?
Cheers,
Albert
>
> Best regards,
> Adam
>
> Am 23.05.2018 um 00:24 schrieb Albert Astals Cid:
> > poppler/Stream.cc |4 +---
> > 1 file changed, 1 insertion(+), 3 deletions(-)
> >
> > New commits:
> > commit 58e056c4b15f262b7715f8061d6885eb80044d0d
> > Author: Albert Astals Cid
> > Date: Wed May 23 00:23:19 2018 +0200
> >
> > Revert 31c3832b996acbf04ea833e304d7d21ac4533a57
> >
> > So shifting left negative values is undefined behaviour according to
> > the
> > spec but if we don't do it we break, so we seem to be depending on
> > this
> > undefined behaviour, will try to figure out a better fix
> >
> > diff --git a/poppler/Stream.cc b/poppler/Stream.cc
> > index b6bfd838..4f075c12 100644
> > --- a/poppler/Stream.cc
> > +++ b/poppler/Stream.cc
> > @@ -1445,9 +1445,7 @@ int LZWStream::getCode() {
> >
> >while (inputBits < nextBits) {
> >
> > if ((c = str->getChar()) == EOF)
> >
> >return EOF;
> >
> > -if (likely(inputBuf >= 0)) {
> > -inputBuf = (inputBuf << 8) | (c & 0xff);
> > -}
> > +inputBuf = (inputBuf << 8) | (c & 0xff);
> >
> > inputBits += 8;
> >
> >}
> >code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1);
> >
> > ___
> > poppler mailing list
> > poppler@lists.freedesktop.org
> > https://lists.freedesktop.org/mailman/listinfo/poppler
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
Re: [poppler] poppler/Stream.cc
Hello,
maybe the simplest solution would to turn inputBuf into an unsigned int
and convert to signed int after extracting the bits out of it?
Best regards,
Adam
Am 23.05.2018 um 00:24 schrieb Albert Astals Cid:
> poppler/Stream.cc |4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> New commits:
> commit 58e056c4b15f262b7715f8061d6885eb80044d0d
> Author: Albert Astals Cid
> Date: Wed May 23 00:23:19 2018 +0200
>
> Revert 31c3832b996acbf04ea833e304d7d21ac4533a57
>
> So shifting left negative values is undefined behaviour according to the
> spec but if we don't do it we break, so we seem to be depending on this
> undefined behaviour, will try to figure out a better fix
>
> diff --git a/poppler/Stream.cc b/poppler/Stream.cc
> index b6bfd838..4f075c12 100644
> --- a/poppler/Stream.cc
> +++ b/poppler/Stream.cc
> @@ -1445,9 +1445,7 @@ int LZWStream::getCode() {
>while (inputBits < nextBits) {
> if ((c = str->getChar()) == EOF)
>return EOF;
> -if (likely(inputBuf >= 0)) {
> -inputBuf = (inputBuf << 8) | (c & 0xff);
> -}
> +inputBuf = (inputBuf << 8) | (c & 0xff);
> inputBits += 8;
>}
>code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1);
> ___
> poppler mailing list
> poppler@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/poppler
>
signature.asc
Description: OpenPGP digital signature
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
New commits:
commit 58e056c4b15f262b7715f8061d6885eb80044d0d
Author: Albert Astals Cid
Date: Wed May 23 00:23:19 2018 +0200
Revert 31c3832b996acbf04ea833e304d7d21ac4533a57
So shifting left negative values is undefined behaviour according to the
spec but if we don't do it we break, so we seem to be depending on this
undefined behaviour, will try to figure out a better fix
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index b6bfd838..4f075c12 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -1445,9 +1445,7 @@ int LZWStream::getCode() {
while (inputBits < nextBits) {
if ((c = str->getChar()) == EOF)
return EOF;
-if (likely(inputBuf >= 0)) {
-inputBuf = (inputBuf << 8) | (c & 0xff);
-}
+inputBuf = (inputBuf << 8) | (c & 0xff);
inputBits += 8;
}
code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1);
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
New commits:
commit 31c3832b996acbf04ea833e304d7d21ac4533a57
Author: Albert Astals Cid
Date: Tue May 22 20:25:18 2018 +0200
LZWStream::getCode: Don't left shift negative values
it's undefined behaviour
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 4f075c12..b6bfd838 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -1445,7 +1445,9 @@ int LZWStream::getCode() {
while (inputBits < nextBits) {
if ((c = str->getChar()) == EOF)
return EOF;
-inputBuf = (inputBuf << 8) | (c & 0xff);
+if (likely(inputBuf >= 0)) {
+inputBuf = (inputBuf << 8) | (c & 0xff);
+}
inputBits += 8;
}
code = (inputBuf >> (inputBits - nextBits)) & ((1 << nextBits) - 1);
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |1 +
1 file changed, 1 insertion(+)
New commits:
commit 0c0c368fed70c1db64ce04b135fd5b060a1f0653
Author: Albert Astals Cid
Date: Tue May 22 18:26:29 2018 +0200
LZWStream::clearTable: init newChar to 0
it should not be needed because on well formed streams it will be properly
initialized in processNextCode but
this solves an uninitialized memory use on malformed documents
fixes oss-fuzz/8457
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 15a6a9f9..4f075c12 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -1435,6 +1435,7 @@ void LZWStream::clearTable() {
nextBits = 9;
seqIndex = seqLength = 0;
first = gTrue;
+ newChar = 0;
}
int LZWStream::getCode() {
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc | 16 +++-
1 file changed, 7 insertions(+), 9 deletions(-)
New commits:
commit d72f0383b959d8495a452d2d32377e588b15ad65
Author: Kay Dohmann
Date: Mon Oct 23 23:31:13 2017 +0200
Tweak LZWStream::processNextCode
Fixes file attached at bug 103174 and doesn't seem to cause any
regression in the files we have around
Bug #103174
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index b541356d..da1d9267 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -33,6 +33,7 @@
// Copyright (C) 2015 Suzuki Toshiya
// Copyright (C) 2015 Jason Crain
// Copyright (C) 2017 Jose Aliste
+// Copyright (C) 2017 Kay Dohmann
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -1461,11 +1462,6 @@ GBool LZWStream::processNextCode() {
clearTable();
goto start;
}
- if (nextCode >= 4097) {
-error(errSyntaxError, getPos(),
- "Bad LZW stream - expected clear-table code");
-clearTable();
- }
// process the next code
nextLength = seqLength + 1;
@@ -1491,10 +1487,12 @@ GBool LZWStream::processNextCode() {
if (first) {
first = gFalse;
} else {
-table[nextCode].length = nextLength;
-table[nextCode].head = prevCode;
-table[nextCode].tail = newChar;
-++nextCode;
+if (nextCode < 4097) {
+ table[nextCode].length = nextLength;
+ table[nextCode].head = prevCode;
+ table[nextCode].tail = newChar;
+ ++nextCode;
+}
if (nextCode + early == 512)
nextBits = 10;
else if (nextCode + early == 1024)
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |7 +++
1 file changed, 7 insertions(+)
New commits:
commit 733c8faf3034f94b632c65dd091911bc642dcae4
Author: Jose Aliste
Date: Tue May 16 18:44:49 2017 -0400
Check numComps is between reasonable bounds
Before this patch, some PDF might crash because of an overflow
if numComps does not lie between 0 and 4.
This is a security fix for CVE-2017-0319.
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index d93c560e..e3d5cf6a 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -32,6 +32,7 @@
// Copyright (C) 2013 Pino Toscano
// Copyright (C) 2015 Suzuki Toshiya
// Copyright (C) 2015 Jason Crain
+// Copyright (C) 2017 Jose Aliste
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -3585,6 +3586,12 @@ GBool DCTStream::readProgressiveSOF() {
height = read16();
width = read16();
numComps = str->getChar();
+
+ if (numComps <= 0 || numComps > 4) {
+error(errSyntaxError, getPos(), "Bad number of components in DCT stream");
+numComps = 0;
+return gFalse;
+ }
if (prec != 8) {
error(errSyntaxError, getPos(), "Bad DCT precision {0:d}", prec);
return gFalse;
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit b2bbe5d5bc241c82575bf9987d295d91998ddebc
Author: Albert Astals Cid
Date: Tue Jun 20 23:58:26 2017 +0200
Fix crash in malformed document
Bug #101526
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 4ac91078..d93c560e 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -468,7 +468,7 @@ ImageStream::ImageStream(Stream *strA, int widthA, int
nCompsA, int nBitsA) {
nVals = width * nComps;
inputLineSize = (nVals * nBits + 7) >> 3;
- if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || width > INT_MAX / nComps) {
+ if (nComps <= 0 || nBits <= 0 || nVals > INT_MAX / nBits - 7 || width >
INT_MAX / nComps) {
inputLineSize = -1;
}
inputLine = (Guchar *)gmallocn_checkoverflow(inputLineSize, sizeof(char));
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 5f51939eea5b98dcef115d18baec3179701d0292
Author: Albert Astals Cid
Date: Tue May 24 23:34:48 2016 +0200
Fix stack overflow
Bug #96027
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index f1c68e9..4a9babe 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -183,7 +183,7 @@ Stream *Stream::addFilters(Object *dict, int recursion) {
dict->dictLookup("DecodeParms", ¶ms, recursion);
if (params.isNull()) {
params.free();
-dict->dictLookup("DP", ¶ms);
+dict->dictLookup("DP", ¶ms, recursion);
}
if (obj.isName()) {
str = makeFilter(obj.getName(), str, ¶ms, recursion, dict);
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
New commits:
commit 9ce8dd7fbd132b5f423dc3bf10fa87b973390d0b
Author: Albert Astals Cid
Date: Mon May 23 23:59:40 2016 +0200
Fix stack overflow on broken file
Bug #95567
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 1e6318e..f1c68e9 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -14,7 +14,7 @@
// under GPL version 2 or later
//
// Copyright (C) 2005 Jeff Muizelaar
-// Copyright (C) 2006-2010, 2012-2014 Albert Astals Cid
+// Copyright (C) 2006-2010, 2012-2014, 2016 Albert Astals Cid
// Copyright (C) 2007 Krzysztof Kowalczyk
// Copyright (C) 2008 Julien Rebetez
// Copyright (C) 2009 Carlos Garcia Campos
@@ -178,7 +178,7 @@ Stream *Stream::addFilters(Object *dict, int recursion) {
dict->dictLookup("Filter", &obj, recursion);
if (obj.isNull()) {
obj.free();
-dict->dictLookup("F", &obj);
+dict->dictLookup("F", &obj, recursion);
}
dict->dictLookup("DecodeParms", ¶ms, recursion);
if (params.isNull()) {
___
poppler mailing list
poppler@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc | 10 +++---
1 file changed, 3 insertions(+), 7 deletions(-)
New commits:
commit 1e1a2d0600153c98d44f65e83a0555ab5288450b
Author: Jason Crain
Date: Sun Sep 6 22:33:02 2015 +0200
Fix JBIG2Decode infinite loop and stack overflow
Creating a JBIG2Decode filter can create a stack overflow or infinite
loop. Fix stack overflow by adding 'recursion' argument to fetch
call. Fix infinite loop by removing the reference lookup loop.
Chains of references aren't allowed by the spec anyway.
Bug #91186
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index d2dd761..9617678 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -31,6 +31,7 @@
// Copyright (C) 2013 Adam Reichold
// Copyright (C) 2013 Pino Toscano
// Copyright (C) 2015 Suzuki Toshiya
+// Copyright (C) 2015 Jason Crain
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -340,13 +341,8 @@ Stream *Stream::makeFilter(char *name, Stream *str, Object
*params, int recursio
} else if (!strcmp(name, "JBIG2Decode")) {
if (params->isDict()) {
XRef *xref = params->getDict()->getXRef();
- params->dictLookupNF("JBIG2Globals", &globals);
- while (globals.isRef()) {
-obj.free();
-globals.copy(&obj);
-globals.free();
-obj.fetch(xref, &globals);
- }
+ params->dictLookupNF("JBIG2Globals", &obj);
+ obj.fetch(xref, &globals, recursion);
}
str = new JBIG2Stream(str, &globals, &obj);
globals.free();
___
poppler mailing list
poppler@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 714ee1e61d853394818dca7155b1b882408ffc6a
Author: Albert Astals Cid
Date: Sun Jun 16 19:00:01 2013 +0200
Pass down the recursion param
Fixes heap smashing in 168.pdf.SIGSEGV.598.462
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index d6a69b0..41cb8c1 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -186,7 +186,7 @@ Stream *Stream::addFilters(Object *dict, int recursion) {
str = makeFilter(obj.getName(), str, ¶ms, recursion, dict);
} else if (obj.isArray()) {
for (i = 0; i < obj.arrayGetLength(); ++i) {
- obj.arrayGet(i, &obj2);
+ obj.arrayGet(i, &obj2, recursion);
if (params.isArray())
params.arrayGet(i, ¶ms2, recursion);
else
___
poppler mailing list
poppler@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc poppler/Stream.h
poppler/Stream.cc |2 +-
poppler/Stream.h |2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
New commits:
commit f3aa5236361dca3db64f110520ebe721ba1c9464
Author: Pino Toscano
Date: Sun Jan 27 18:50:10 2013 +0100
use Goffset also for length in MemStream ctor
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 3deab44..3f89ddc 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -1015,7 +1015,7 @@ void CachedFileStream::moveStart(Goffset delta)
// MemStream
//
-MemStream::MemStream(char *bufA, Goffset startA, Guint lengthA, Object *dictA):
+MemStream::MemStream(char *bufA, Goffset startA, Goffset lengthA, Object
*dictA):
BaseStream(dictA, lengthA) {
buf = bufA;
start = startA;
diff --git a/poppler/Stream.h b/poppler/Stream.h
index f6e85ac..c871ba7 100644
--- a/poppler/Stream.h
+++ b/poppler/Stream.h
@@ -565,7 +565,7 @@ private:
class MemStream: public BaseStream {
public:
- MemStream(char *bufA, Goffset startA, Guint lengthA, Object *dictA);
+ MemStream(char *bufA, Goffset startA, Goffset lengthA, Object *dictA);
virtual ~MemStream();
virtual BaseStream *copy();
virtual Stream *makeSubStream(Goffset start, GBool limited,
___
poppler mailing list
poppler@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
New commits:
commit b1026b5978c385328f2a15a2185c599a563edf91
Author: Albert Astals Cid
Date: Wed Jan 9 22:17:09 2013 +0100
Initialize refLine totally
Fixes uninitialized memory read in 1004.pdf.asan.7.3
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 414ff3f..d118ddd 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -14,7 +14,7 @@
// under GPL version 2 or later
//
// Copyright (C) 2005 Jeff Muizelaar
-// Copyright (C) 2006-2010, 2012 Albert Astals Cid
+// Copyright (C) 2006-2010, 2012, 2013 Albert Astals Cid
// Copyright (C) 2007 Krzysztof Kowalczyk
// Copyright (C) 2008 Julien Rebetez
// Copyright (C) 2009 Carlos Garcia Campos
@@ -1712,8 +1712,9 @@ int CCITTFaxStream::lookChar() {
for (i = 0; i < columns && codingLine[i] < columns; ++i) {
refLine[i] = codingLine[i];
}
- refLine[i++] = columns;
- refLine[i] = columns;
+ for (; i < columns + 2; ++i) {
+ refLine[i] = columns;
+ }
codingLine[0] = 0;
a0i = 0;
b1i = 0;
___
poppler mailing list
poppler@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
New commits:
commit 2017dbebd9afd4f172242ff8462fce739d911e64
Author: Even Rouault
Date: Fri Dec 28 00:30:13 2012 +0100
Do not crash on 0 or negative nBits values
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 842f0c6..414ff3f 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -26,6 +26,7 @@
// Copyright (C) 2012 Thomas Freitag
// Copyright (C) 2012 Oliver Sander
// Copyright (C) 2012 Fabio D'Urso
+// Copyright (C) 2012 Even Rouault
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -419,11 +420,11 @@ ImageStream::ImageStream(Stream *strA, int widthA, int
nCompsA, int nBitsA) {
nVals = width * nComps;
inputLineSize = (nVals * nBits + 7) >> 3;
- if (nVals > INT_MAX / nBits - 7) {
+ if (nBits <= 0 || nVals > INT_MAX / nBits - 7) {
// force a call to gmallocn(-1,...), which will throw an exception
inputLineSize = -1;
}
- inputLine = (Guchar *)gmallocn(inputLineSize, sizeof(char));
+ inputLine = (Guchar *)gmallocn_checkoverflow(inputLineSize, sizeof(char));
if (nBits == 8) {
imgLine = (Guchar *)inputLine;
} else {
___
poppler mailing list
poppler@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |3 +++
1 file changed, 3 insertions(+)
New commits:
commit 50c0b294d08114920a5db711876e20d991f474a6
Author: Albert Astals Cid
Date: Sun Apr 29 22:33:09 2012 +0200
Make sure the index to dcHuffTables and acHuffTables is in bounds
Found in a fuzzed pdf sent by Mateusz "j00ru" Jurczyk and Gynvael Coldwind
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 423bf1c..4ce6c00 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -2581,6 +2581,9 @@ GBool DCTStream::readMCURow() {
vSub = vert / 8;
for (y2 = 0; y2 < mcuHeight; y2 += vert) {
for (x2 = 0; x2 < mcuWidth; x2 += horiz) {
+ if (unlikely(scanInfo.dcHuffTable[cc] >= 4) ||
unlikely(scanInfo.acHuffTable[cc] >= 4)) {
+ return gFalse;
+ }
if (!readDataUnit(&dcHuffTables[scanInfo.dcHuffTable[cc]],
&acHuffTables[scanInfo.acHuffTable[cc]],
&compInfo[cc].prevDC,
___
poppler mailing list
poppler@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
New commits:
commit 675ef2bda3c4e06b39e2ba09b3b19d99cfb001b6
Author: Oliver Sander
Date: Thu Feb 23 23:22:50 2012 +0100
Compile
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index d5f4e0c..04aac31 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -24,6 +24,7 @@
// Copyright (C) 2010 Tomas Hoger
// Copyright (C) 2011 William Bader
// Copyright (C) 2012 Thomas Freitag
+// Copyright (C) 2012 Oliver Sander
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -2343,7 +2344,7 @@ DCTStream::~DCTStream() {
void DCTStream::dctReset(GBool unfiltered) {
if (unfiltered)
-str->unfilteredReset()
+str->unfilteredReset();
else
str->reset();
___
poppler mailing list
poppler@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc poppler/Stream.h
poppler/Stream.cc | 26 --
poppler/Stream.h |3 +++
2 files changed, 23 insertions(+), 6 deletions(-)
New commits:
commit 9b72ee4e4c8658b2f7cd542d601a5c3be621d3fc
Author: Thomas Freitag
Date: Sat Feb 18 17:34:12 2012 +0100
Make some of the unfilteredResets be really unfiltered
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 5ebd5af..d5f4e0c 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -23,6 +23,7 @@
// Copyright (C) 2010 Hib Eris
// Copyright (C) 2010 Tomas Hoger
// Copyright (C) 2011 William Bader
+// Copyright (C) 2012 Thomas Freitag
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -1599,8 +1600,11 @@ CCITTFaxStream::~CCITTFaxStream() {
gfree(codingLine);
}
-void CCITTFaxStream::unfilteredReset () {
- str->reset();
+void CCITTFaxStream::ccittReset(GBool unfiltered) {
+ if (unfiltered)
+str->unfilteredReset();
+ else
+str->reset();
row = 0;
nextLine2D = encoding < 0;
@@ -1610,10 +1614,14 @@ void CCITTFaxStream::unfilteredReset () {
buf = EOF;
}
+void CCITTFaxStream::unfilteredReset() {
+ ccittReset(gTrue);
+}
+
void CCITTFaxStream::reset() {
int code1;
- unfilteredReset();
+ ccittReset(gFalse);
if (codingLine != NULL && refLine != NULL) {
eof = gFalse;
@@ -2333,8 +2341,11 @@ DCTStream::~DCTStream() {
delete str;
}
-void DCTStream::unfilteredReset() {
- str->reset();
+void DCTStream::dctReset(GBool unfiltered) {
+ if (unfiltered)
+str->unfilteredReset()
+ else
+str->reset();
progressive = interleaved = gFalse;
width = height = 0;
@@ -2347,11 +2358,14 @@ void DCTStream::unfilteredReset() {
restartInterval = 0;
}
+void DCTStream::unfilteredReset() {
+ dctReset(gTrue);
+}
void DCTStream::reset() {
int i, j;
- unfilteredReset();
+ dctReset(gFalse);
if (!readHeader()) {
y = height;
diff --git a/poppler/Stream.h b/poppler/Stream.h
index 3276940..33165aa 100644
--- a/poppler/Stream.h
+++ b/poppler/Stream.h
@@ -20,6 +20,7 @@
// Copyright (C) 2009 Stefan Thomas
// Copyright (C) 2010 Hib Eris
// Copyright (C) 2011 William Bader
+// Copyright (C) 2012 Thomas Freitag
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -785,6 +786,7 @@ public:
private:
+ void ccittReset(GBool unfiltered);
int encoding;// 'K' parameter
GBool endOfLine; // 'EndOfLine' parameter
GBool byteAlign; // 'EncodedByteAlign' parameter
@@ -861,6 +863,7 @@ public:
private:
+ void dctReset(GBool unfiltered);
GBool progressive; // set if in progressive mode
GBool interleaved; // set if in interleaved mode
int width, height; // image size
___
poppler mailing list
poppler@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc poppler/Stream.h
poppler/Stream.cc |1 + poppler/Stream.h |1 + 2 files changed, 2 insertions(+) New commits: commit 00076bc308ae320244c4fe351c1c2bef2da8 Author: Albert Astals Cid Date: Fri Jun 24 22:51:55 2011 +0100 Forgot William's (C) here diff --git a/poppler/Stream.cc b/poppler/Stream.cc index 7b46c01..ee53502 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -22,6 +22,7 @@ // Copyright (C) 2009 Stefan Thomas // Copyright (C) 2010 Hib Eris // Copyright (C) 2010 Tomas Hoger +// Copyright (C) 2011 William Bader // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git diff --git a/poppler/Stream.h b/poppler/Stream.h index ee03f4e..fce6590 100644 --- a/poppler/Stream.h +++ b/poppler/Stream.h @@ -19,6 +19,7 @@ // Copyright (C) 2009 Carlos Garcia Campos // Copyright (C) 2009 Stefan Thomas // Copyright (C) 2010 Hib Eris +// Copyright (C) 2011 William Bader // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git ___ poppler mailing list poppler@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc poppler/XRef.cc splash/SplashBitmap.cc splash/Splash.cc splash/SplashErrorCodes.h
poppler/Stream.cc |4
poppler/XRef.cc | 19 +++
splash/Splash.cc |7 +++
splash/SplashBitmap.cc| 37 ++---
splash/SplashErrorCodes.h |4 +++-
5 files changed, 59 insertions(+), 12 deletions(-)
New commits:
commit 1082e1671afd8ab91583dabc876304008acb021c
Author: Albert Astals Cid
Date: Fri Oct 16 23:17:22 2009 +0200
Some "security" fixes based on newly released Xpdf 3.02pl4
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 7137c5e..6634317 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -405,6 +405,10 @@ ImageStream::ImageStream(Stream *strA, int widthA, int
nCompsA, int nBitsA) {
} else {
imgLineSize = nVals;
}
+ if (width > INT_MAX / nComps) {
+// force a call to gmallocn(-1,...), which will throw an exception
+imgLineSize = -1;
+ }
imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
imgIdx = nVals;
}
diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index 832a038..e5fd92a 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -76,6 +76,8 @@ public:
// generation 0.
ObjectStream(XRef *xref, int objStrNumA);
+ GBool isOk() { return ok; }
+
~ObjectStream();
// Return the object number of this object stream.
@@ -91,6 +93,7 @@ private:
int nObjects;// number of objects in the stream
Object *objs;// the objects (length = nObjects)
int *objNums;// the object numbers (length =
nObjects)
+ GBool ok;
};
ObjectStream::ObjectStream(XRef *xref, int objStrNumA) {
@@ -104,6 +107,7 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA) {
nObjects = 0;
objs = NULL;
objNums = NULL;
+ ok = gFalse;
if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) {
goto err1;
@@ -129,11 +133,13 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA) {
goto err1;
}
- if (nObjects >= INT_MAX / (int)sizeof(int)) {
-error(-1, "Invalid 'nObjects'");
+ // this is an arbitrary limit to avoid integer overflow problems
+ // in the 'new Object[nObjects]' call (Acrobat apparently limits
+ // object streams to 100-200 objects)
+ if (nObjects > 100) {
+error(-1, "Too many objects in an object stream");
goto err1;
}
-
objs = new Object[nObjects];
objNums = (int *)gmallocn(nObjects, sizeof(int));
offsets = (int *)gmallocn(nObjects, sizeof(int));
@@ -190,10 +196,10 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA) {
}
gfree(offsets);
+ ok = gTrue;
err1:
objStr.free();
- return;
}
ObjectStream::~ObjectStream() {
@@ -970,6 +976,11 @@ Object *XRef::fetch(int num, int gen, Object *obj) {
delete objStr;
}
objStr = new ObjectStream(this, e->offset);
+ if (!objStr->isOk()) {
+ delete objStr;
+ objStr = NULL;
+ goto err;
+ }
}
objStr->getObject(e->gen, num, obj);
break;
diff --git a/splash/Splash.cc b/splash/Splash.cc
index a1deb85..834cb10 100644
--- a/splash/Splash.cc
+++ b/splash/Splash.cc
@@ -27,6 +27,7 @@
#include
#include
+#include
#include "goo/gmem.h"
#include "SplashErrorCodes.h"
#include "SplashMath.h"
@@ -2001,6 +2002,9 @@ SplashError Splash::fillImageMask(SplashImageMaskSource
src, void *srcData,
xq = w % scaledWidth;
// allocate pixel buffer
+ if (yp < 0 || yp > INT_MAX - 1) {
+return splashErrBadArg;
+ }
pixBuf = (SplashColorPtr)gmallocn((yp + 1), w);
// initialize the pixel pipe
@@ -2301,6 +2305,9 @@ SplashError Splash::drawImage(SplashImageSource src, void
*srcData,
xq = w % scaledWidth;
// allocate pixel buffers
+ if (yp < 0 || yp > INT_MAX - 1) {
+return splashErrBadArg;
+ }
colorBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps);
if (srcAlpha) {
alphaBuf = (Guchar *)gmallocn((yp + 1), w);
diff --git a/splash/SplashBitmap.cc b/splash/SplashBitmap.cc
index 2337a62..999efd1 100644
--- a/splash/SplashBitmap.cc
+++ b/splash/SplashBitmap.cc
@@ -29,6 +29,7 @@
#include
#include
+#include
#include "goo/gmem.h"
#include "SplashErrorCodes.h"
#include "SplashBitmap.h"
@@ -48,26 +49,48 @@ SplashBitmap::SplashBitmap(int widthA, int heightA, int
rowPad,
mode = modeA;
switch (mode) {
case splashModeMono1:
-rowSize = (width + 7) >> 3;
+if (width > 0) {
+ rowSize = (width + 7) >> 3;
+} else {
+ rowSize = -1;
+}
break;
case splashModeMono8:
-rowSize = width;
+if (width > 0) {
+ rowSize = width;
+} else {
+ rowSize = -1;
+}
break;
case splashModeRGB8:
case splashModeBGR8:
-rowSize = width * 3;
+if (width > 0 && width <= INT_MAX / 3) {
+ rowSize = width * 3;
+} else {
+ rowSize = -1;
+}
break;
case splashModeXBGR8:
-rowSize = width * 4;
+if (width > 0 && width <= INT_MAX / 4) {
+ rowSize = width * 4;
+} else {
+ rowSize = -1;
+}
[poppler] poppler/Stream.cc
poppler/Stream.cc |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
New commits:
commit c2458275e02f56226779b82d73c13defcbbda563
Author: Glenn Ganz
Date: Fri Oct 16 20:54:32 2009 +0200
fix constructor of DCTStream
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 01efcd6..7137c5e 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -18,6 +18,7 @@
// Copyright (C) 2007 Krzysztof Kowalczyk
// Copyright (C) 2008 Julien Rebetez
// Copyright (C) 2009 Carlos Garcia Campos
+// Copyright (C) 2009 Glenn Ganz
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -2030,7 +2031,7 @@ static const int dctZigZag[64] = {
63
};
-DCTStream::DCTStream(Stream *strA, GBool colorXformA):
+DCTStream::DCTStream(Stream *strA, int colorXformA):
FilterStream(strA) {
int i, j;
___
poppler mailing list
poppler@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc |1 -
1 file changed, 1 deletion(-)
New commits:
commit 66b34c78943be598778a3ef438b0cefac668c6a2
Author: Albert Astals Cid <[EMAIL PROTECTED]>
Date: Sat Aug 2 13:54:34 2008 +0200
This should not be here, breaks jpeg rendering when not using libjpeg
That was included erroneously when the file writing code was added
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 667a3e3..b8dd39a 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -2050,7 +2050,6 @@ void DCTStream::unfilteredReset() {
numQuantTables = 0;
numDCHuffTables = 0;
numACHuffTables = 0;
- colorXform = 0;
gotJFIFMarker = gFalse;
gotAdobeMarker = gFalse;
restartInterval = 0;
___
poppler mailing list
poppler@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/Stream.cc
poppler/Stream.cc | 21 +++--
1 file changed, 15 insertions(+), 6 deletions(-)
New commits:
commit 1b3f045a25e5d172357bc87c15ba591c8e1511a7
Author: Albert Astals Cid <[EMAIL PROTECTED]>
Date: Thu Nov 8 23:34:07 2007 +0100
Move another gmallocn to gmallocn_checkoverflow. Fixes crashes on incorrect
pdf sent by Red Hat
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 85d46bf..3e44e27 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -1261,14 +1261,18 @@ CCITTFaxStream::CCITTFaxStream(Stream *strA, int
encodingA, GBool endOfLineA,
// ---> max codingLine size = columns + 1
// refLine has one extra guard entry at the end
// ---> max refLine size = columns + 2
- codingLine = (int *)gmallocn(columns + 1, sizeof(int));
- refLine = (int *)gmallocn(columns + 2, sizeof(int));
+ codingLine = (int *)gmallocn_checkoverflow(columns + 1, sizeof(int));
+ refLine = (int *)gmallocn_checkoverflow(columns + 2, sizeof(int));
- eof = gFalse;
+ if (codingLine != NULL && refLine != NULL) {
+eof = gFalse;
+codingLine[0] = columns;
+ } else {
+eof = gTrue;
+ }
row = 0;
nextLine2D = encoding < 0;
inputBits = 0;
- codingLine[0] = columns;
a0i = 0;
outputBits = 0;
@@ -1285,11 +1289,16 @@ void CCITTFaxStream::reset() {
short code1;
str->reset();
- eof = gFalse;
+
+ if (codingLine != NULL && refLine != NULL) {
+eof = gFalse;
+codingLine[0] = columns;
+ } else {
+eof = gTrue;
+ }
row = 0;
nextLine2D = encoding < 0;
inputBits = 0;
- codingLine[0] = columns;
a0i = 0;
outputBits = 0;
buf = EOF;
___
poppler mailing list
poppler@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/poppler: Stream.cc,1.14,1.15 Stream.h,1.10,1.11
Update of /cvs/poppler/poppler/poppler
In directory kemper:/tmp/cvs-serv15199/poppler
Modified Files:
Stream.cc Stream.h
Log Message:
* poppler/Stream.h:
* poppler/Stream.cc: Remove MemStream::setNeedFree method i really did
not need it
* qt4/src/poppler-document.cc:
* qt4/src/poppler-link.cc:
* qt4/src/poppler-page.cc:
* qt4/src/poppler-private.h: Make Document::loadFromData work on
documents with a password and don't need to do a malloc and a memcpy.
Index: Stream.cc
===
RCS file: /cvs/poppler/poppler/poppler/Stream.cc,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -d -r1.14 -r1.15
--- Stream.cc 13 Jan 2007 17:56:07 - 1.14
+++ Stream.cc 13 Jan 2007 23:19:21 - 1.15
@@ -806,11 +806,6 @@
}
}
-void MemStream::setNeedFree(GBool needsFree)
-{
- needFree = needsFree;
-}
-
//
// EmbedStream
//
Index: Stream.h
===
RCS file: /cvs/poppler/poppler/poppler/Stream.h,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -d -r1.10 -r1.11
--- Stream.h13 Jan 2007 17:56:07 - 1.10
+++ Stream.h13 Jan 2007 23:19:21 - 1.11
@@ -318,7 +318,6 @@
virtual void moveStart(int delta);
virtual void doDecryption(Guchar *fileKey, int keyLength,
int objNum, int objGen);
- void setNeedFree(GBool needsFree);
private:
___
poppler mailing list
poppler@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/poppler: Stream.cc,1.13,1.14 Stream.h,1.9,1.10
Update of /cvs/poppler/poppler/poppler
In directory kemper:/tmp/cvs-serv29307/poppler
Modified Files:
Stream.cc Stream.h
Log Message:
* poppler/Stream.h:
* poppler/Stream.cc: Add MemStream::setNeedFree method
* qt4/src/poppler-document.cc:
* qt4/src/poppler-private.h:
* qt4/src/poppler-qt4.h: Add Document::loadFromData method
Index: Stream.cc
===
RCS file: /cvs/poppler/poppler/poppler/Stream.cc,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -d -r1.13 -r1.14
--- Stream.cc 27 Jul 2006 18:17:50 - 1.13
+++ Stream.cc 13 Jan 2007 17:56:07 - 1.14
@@ -806,6 +806,11 @@
}
}
+void MemStream::setNeedFree(GBool needsFree)
+{
+ needFree = needsFree;
+}
+
//
// EmbedStream
//
Index: Stream.h
===
RCS file: /cvs/poppler/poppler/poppler/Stream.h,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -d -r1.9 -r1.10
--- Stream.h28 Feb 2006 19:59:58 - 1.9
+++ Stream.h13 Jan 2007 17:56:07 - 1.10
@@ -318,6 +318,7 @@
virtual void moveStart(int delta);
virtual void doDecryption(Guchar *fileKey, int keyLength,
int objNum, int objGen);
+ void setNeedFree(GBool needsFree);
private:
___
poppler mailing list
poppler@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/poppler
[poppler] poppler/poppler: Stream.cc,1.12,1.13
Update of /cvs/poppler/poppler/poppler
In directory kemper:/tmp/cvs-serv1936/poppler
Modified Files:
Stream.cc
Log Message:
* poppler/Stream.cc: If you are going to test a variable, better
initialize it first ;-) Fixes bug 7646
Index: Stream.cc
===
RCS file: /cvs/poppler/poppler/poppler/Stream.cc,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -d -r1.12 -r1.13
--- Stream.cc 28 Feb 2006 19:59:58 - 1.12
+++ Stream.cc 27 Jul 2006 18:17:50 - 1.13
@@ -421,13 +421,13 @@
predLine = NULL;
ok = gFalse;
+ nVals = width * nComps;
if (width <= 0 || nComps <= 0 || nBits <= 0 ||
nComps >= INT_MAX/nBits ||
width >= INT_MAX/nComps/nBits ||
nVals * nBits + 7 < 0) {
return;
}
- nVals = width * nComps;
totalBits = nVals * nBits;
if (totalBits == 0 ||
(totalBits / nBits) / nComps != width ||
___
poppler mailing list
poppler@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/poppler
